[ksk-rollover] Root Zone KSK Rollover and HSM Update
Olaf Kolkman
kolkman at isoc.org
Mon Jul 31 12:03:59 UTC 2023
I wonder if the functionality we rely on is standardized enough to
procure from different vendors, that would reduce the risk in single
vendor vulnerabilities, like a batch of faulty condensers, or other on
pront hardware.
— Olaf
On 19 Jul 2023, at 0:29, James Mitchell via ksk-rollover wrote:
> In April we announced that the manufacturer of our hardware security
> modules (HSMs) will cease production of the devices
> https://mm.icann.org/pipermail/root-dnssec-announce/2023/000157.html.
>
> As noted in that communication, we continued with our previously
> announced plans to begin the first phases of a KSK rollover. We
> generated a new KSK at the KSK Ceremony 49 in April, and plan to
> replicate the KSK to the second facility in the upcoming KSK Ceremony
> 50 this week.
>
> In the past few months we've procured Keyper HSMs to both meet our
> replacement schedule and provide additional spare units. We've been
> engaging HSM manufacturers to identify a new vendor and collaborating
> with our root zone management partner, Verisign, who is also impacted
> in relation to management of the root zone ZSK. The operational
> considerations for the ZSK differ from the KSK, particularly given the
> need for online day-to-day signing, but the security of the root zone
> relies on the robustness of all of these parts.
>
> In light of the uncertainty surrounding the future configuration of
> the HSMs, we have decided to not immediately update the root zone
> trust anchor files with the digest of KSK-2023 immediately following
> Ceremony 50. There is a strong likelihood we will seek to generate a
> new KSK on a new HSM platform once operationalized, which will cause
> us to abandon the recently generated KSK. We will however retain the
> recently generated KSK for now should those plans not pan out in a
> suitable time frame.
>
> Potential options are being actively evaluated, and we expect to have
> developed a preferred remediation approach in the coming months. While
> we don't have all the answers at this time, we encourage questions and
> feedback from trusted community representatives and other interested
> observers. This input will help inform our future planning.
>
> James Mitchell
> Director, IANA Technical Services
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://mm.icann.org/mailman/listinfo/ksk-rollover
>
> _______________________________________________
> By submitting your personal data, you consent to the processing of
> your personal data for purposes of subscribing to this mailing list
> accordance with the ICANN Privacy Policy
> (https://www.icann.org/privacy/policy) and the website Terms of
> Service (https://www.icann.org/privacy/tos). You can visit the Mailman
> link above to change your membership status or configuration,
> including unsubscribing, setting digest-style delivery or disabling
> delivery altogether (e.g., for a vacation), and so on.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Olaf M. Kolkman
Principal, Internet Society
https://www.internetsociety.org
Used to tweet as: @kolkman, Toots from: social.secret-wg.org/@olaf
Talk to me if you or your organization wants to support our cause.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mm.icann.org/pipermail/ksk-rollover/attachments/20230731/2a47b1c3/attachment-0001.html>
More information about the ksk-rollover
mailing list