[ksk-rollover] ceremonies in April, and managing things less critical and the KSK.

Wessels, Duane dwessels at verisign.com
Mon Apr 6 17:20:14 UTC 2020

> On Apr 5, 2020, at 2:05 PM, Michael Richardson <mcr+ietf at sandelman.ca> wrote:
>> A Flash Drive is inserted in Step 5 (Page 14).  The KSR is on it.
> It seems like the weakest link, btw.

Hi Michael,

Sections 5.6 and 6.7 of the KSK operator DNSSEC Practice Statement explain how the KSR is transferred and verified:

5.6.  Network Security Controls

   No part of the signer system making use of the HSM is connected to
   any communications network.  Communication of ZSK key signing
   requests (KSR) from the Root Zone Maintainer/ZSK Operator is done
   using a TLS client-side authenticated web server connected to the RZ
   KSK Operator's production network.  Transfer of a KSR from the web
   server to the signer system is performed manually using removable
   media (refer to Section 6.7 for further details on verification of
   the KSR).

6.7.  Verification of zone signing key set

   Each key set within the Key Signing Request (KSR) is self-signed with
   the active key to provide proof of possession of the corresponding
   private key.  The signer system will automatically validate this
   signature and perform checking of available parameters before
   accepting the KSR for signing.

   The RZ KSK Operator will verify the authenticity of the KSR document
   by performing an out-of-band verification (verbally over the phone,
   by fax, or any other available method) of the hash of the KSR, before
   entering the KSR into the signer system.  The resulting Signed Key
   Response (SKR) is transferred back using the same TLS client-side
   authenticated connection used to receive the KSR from the Root Zone

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4695 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20200406/869d4253/smime.p7s>

More information about the ksk-rollover mailing list