[ksk-rollover] Root Zone KSK Rollover and HSM Update

Olaf Kolkman kolkman at isoc.org
Mon Jul 31 12:03:59 UTC 2023 

I wonder if the functionality we rely on is standardized enough to 
procure from different vendors, that would reduce the risk in single 
vendor vulnerabilities, like a batch of faulty condensers, or other on 
pront hardware.

— Olaf


On 19 Jul 2023, at 0:29, James Mitchell via ksk-rollover wrote:

> In April we announced that the manufacturer of our hardware security 
> modules (HSMs) will cease production of the devices 
> https://mm.icann.org/pipermail/root-dnssec-announce/2023/000157.html.
>
> As noted in that communication, we continued with our previously 
> announced plans to begin the first phases of a KSK rollover. We 
> generated a new KSK at the KSK Ceremony 49 in April, and plan to 
> replicate the KSK to the second facility in the upcoming KSK Ceremony 
> 50 this week.
>
> In the past few months we've procured Keyper HSMs to both meet our 
> replacement schedule and provide additional spare units. We've been 
> engaging HSM manufacturers to identify a new vendor and collaborating 
> with our root zone management partner, Verisign, who is also impacted 
> in relation to management of the root zone ZSK. The operational 
> considerations for the ZSK differ from the KSK, particularly given the 
> need for online day-to-day signing, but the security of the root zone 
> relies on the robustness of all of these parts.
>
> In light of the uncertainty surrounding the future configuration of 
> the HSMs, we have decided to not immediately update the root zone 
> trust anchor files with the digest of KSK-2023 immediately following 
> Ceremony 50. There is a strong likelihood we will seek to generate a 
> new KSK on a new HSM platform once operationalized, which will cause 
> us to abandon the recently generated KSK. We will however retain the 
> recently generated KSK for now should those plans not pan out in a 
> suitable time frame.
>
> Potential options are being actively evaluated, and we expect to have 
> developed a preferred remediation approach in the coming months. While 
> we don't have all the answers at this time, we encourage questions and 
> feedback from trusted community representatives and other interested 
> observers. This input will help inform our future planning.
>
> James Mitchell
> Director, IANA Technical Services

> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of 
> your personal data for purposes of subscribing to this mailing list 
> accordance with the ICANN Privacy Policy 
> (https://www.icann.org/privacy/policy) and the website Terms of 
> Service (https://www.icann.org/privacy/tos). You can visit the Mailman 
> link above to change your membership status or configuration, 
> including unsubscribing, setting digest-style delivery or disabling 
> delivery altogether (e.g., for a vacation), and so on.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Olaf M. Kolkman
Principal, Internet Society
https://www.internetsociety.org
Used to tweet as: @kolkman, Toots from: social.secret-wg.org/@olaf

Talk to me if you or your organization wants to support our cause.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20230731/2a47b1c3/attachment-0001.html>

More information about the ksk-rollover mailing list