[ksk-rollover] Root Zone KSK Rollover and HSM Update
Frederico A C Neves
fneves at registro.br
Mon Jul 31 12:53:28 UTC 2023
On Mon, Jul 31, 2023 at 02:03:59PM +0200, Olaf Kolkman via ksk-rollover wrote:
>
> I wonder if the functionality we rely on is standardized enough to
> procure from different vendors, that would reduce the risk in single
> vendor vulnerabilities, like a batch of faulty condensers, or other on
> pront hardware.
>From our experience besides admin interfaces, standard APIs for
regular operations, generating keys, sign, verify etc... are available
(PKCS#11/KMIP) from multiple vendors. But exporting/importing a key,
specially with the no-export attribute set, among vendors is not
available.
So to switch vendors you'll need to do a keyroll still having access
to the old HSMs.
>
> — Olaf
>
Fred
>
> On 19 Jul 2023, at 0:29, James Mitchell via ksk-rollover wrote:
>
> > In April we announced that the manufacturer of our hardware security
> > modules (HSMs) will cease production of the devices
> > https://mm.icann.org/pipermail/root-dnssec-announce/2023/000157.html.
> >
> > As noted in that communication, we continued with our previously
> > announced plans to begin the first phases of a KSK rollover. We
> > generated a new KSK at the KSK Ceremony 49 in April, and plan to
> > replicate the KSK to the second facility in the upcoming KSK Ceremony
> > 50 this week.
> >
> > In the past few months we've procured Keyper HSMs to both meet our
> > replacement schedule and provide additional spare units. We've been
> > engaging HSM manufacturers to identify a new vendor and collaborating
> > with our root zone management partner, Verisign, who is also impacted
> > in relation to management of the root zone ZSK. The operational
> > considerations for the ZSK differ from the KSK, particularly given the
> > need for online day-to-day signing, but the security of the root zone
> > relies on the robustness of all of these parts.
> >
> > In light of the uncertainty surrounding the future configuration of
> > the HSMs, we have decided to not immediately update the root zone
> > trust anchor files with the digest of KSK-2023 immediately following
> > Ceremony 50. There is a strong likelihood we will seek to generate a
> > new KSK on a new HSM platform once operationalized, which will cause
> > us to abandon the recently generated KSK. We will however retain the
> > recently generated KSK for now should those plans not pan out in a
> > suitable time frame.
> >
> > Potential options are being actively evaluated, and we expect to have
> > developed a preferred remediation approach in the coming months. While
> > we don't have all the answers at this time, we encourage questions and
> > feedback from trusted community representatives and other interested
> > observers. This input will help inform our future planning.
> >
> > James Mitchell
> > Director, IANA Technical Services
>
More information about the ksk-rollover
mailing list