[ksk-rollover] ceremonies in April, and managing things less critical and the KSK.

Kim Davies kim.davies at iana.org
Mon Apr 6 16:16:37 UTC 2020

Quoting Michael Richardson on Saturday April 04, 2020:
> I was locating appropriate references for explaining Key signing ceremonies,
> and noticed the report of the safe problems at:
>     https://www.theregister.co.uk/2020/02/13/iana_dnssec_ksk_delay/
>     https://www.icann.org/news/blog/root-key-signing-key-ceremony-postponed
> and then the schedule at:
>     https://www.iana.org/dnssec/ceremonies
> in which April 23 is the next date.
> Will travel bans cause a problem?  I kinda hope the travel bans are enforced.

We are developing contingency plans for holding the key ceremony. At this stage
the ceremony will not be held in its normal configuration. It _may_ be held on
that date, or the date may be adjusted. Once we have a more definitive approach
finalized we'll update the website and notify our normal channels.

We expect it to be around that date, nonetheless.

>     "Introduce HSM6E"
> Does this mean that a new HSM device will be added?

That is part of the original agenda, but that will almost certainly be
postponed until a later ceremony. We are trying to perform the bare minimum of
operations for the forthcoming ceremony.

In normal operations, we have a 5 year service life for our HSMs, and
we have four in service, so we replace a HSM roughly once a year in a
staggered fashion.

> I see RRSIG from keyid 20326 (current root) will expire 20200422000000.
> Maybe there is another RRSIG hidden away that I can't see?

>From the audit materials on the IANA website, here are the signatures
generated at the last key ceremony:

Generated new SKR in /media/KSR/KSK40/skr-root-2020-q2-0.xml
#  Inception           Expiration           ZSK Tags      KSK Tag(CKA_LABEL)
1  2020-04-01T00:00:00 2020-04-22T00:00:00  33853,48903   20326(Klajeyz)/S
2  2020-04-11T00:00:00 2020-05-02T00:00:00  48903         20326(Klajeyz)/S
3  2020-04-21T00:00:00 2020-05-12T00:00:00  48903         20326(Klajeyz)/S
4  2020-05-01T00:00:00 2020-05-22T00:00:00  48903         20326(Klajeyz)/S
5  2020-05-11T00:00:00 2020-06-01T00:00:00  48903         20326(Klajeyz)/S
6  2020-05-21T00:00:00 2020-06-11T00:00:00  48903         20326(Klajeyz)/S
7  2020-05-31T00:00:00 2020-06-21T00:00:00  48903         20326(Klajeyz)/S
8  2020-06-10T00:00:00 2020-07-01T00:00:00  48903         20326(Klajeyz)/S
9  2020-06-20T00:00:00 2020-07-11T00:00:00  46594,48903   20326(Klajeyz)/S

> https://www.iana.org/dnssec/icann-dps.txt
> I am unclear from reading things over again how the ZSK gets to the ceremony.
> Is a new ZSK keypair generated during the KSK, or is it generated elsewhere
> and only the public part brought?

There is a encrypted authentication channel where the "key signing request"
(KSR) and the "signed key response" (SKR) are exchanged between the KSK
operator (IANA) and the ZSK operator (Verisign). Verisign representatives
attend to the hash of the KSR that is sent as part of the ceremony to validate
it hasn't been tampered with in transit.


More information about the ksk-rollover mailing list