[ksk-rollover] ceremonies in April, and managing things less critical and the KSK.
dwessels at verisign.com
Mon Apr 6 17:20:14 UTC 2020
> On Apr 5, 2020, at 2:05 PM, Michael Richardson <mcr+ietf at sandelman.ca> wrote:
>> A Flash Drive is inserted in Step 5 (Page 14). The KSR is on it.
> It seems like the weakest link, btw.
Sections 5.6 and 6.7 of the KSK operator DNSSEC Practice Statement explain how the KSR is transferred and verified:
5.6. Network Security Controls
No part of the signer system making use of the HSM is connected to
any communications network. Communication of ZSK key signing
requests (KSR) from the Root Zone Maintainer/ZSK Operator is done
using a TLS client-side authenticated web server connected to the RZ
KSK Operator's production network. Transfer of a KSR from the web
server to the signer system is performed manually using removable
media (refer to Section 6.7 for further details on verification of
6.7. Verification of zone signing key set
Each key set within the Key Signing Request (KSR) is self-signed with
the active key to provide proof of possession of the corresponding
private key. The signer system will automatically validate this
signature and perform checking of available parameters before
accepting the KSR for signing.
The RZ KSK Operator will verify the authenticity of the KSR document
by performing an out-of-band verification (verbally over the phone,
by fax, or any other available method) of the hash of the KSR, before
entering the KSR into the signer system. The resulting Signed Key
Response (SKR) is transferred back using the same TLS client-side
authenticated connection used to receive the KSR from the Root Zone
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4695 bytes
Desc: not available
More information about the ksk-rollover