<div dir="ltr">Hello All, <div><br></div><div>I will apologize upfront. I am trying to follow all the threads to keep up. I want to make sure the key beginning with "AwEAAaz/" and ending with "UTV74bU=" is the new KSK key that need to be in place for rollover. </div><div><br></div><div>The last question has made me feel there is a new key being generated. Is this the case? Again, I do apologize if am off but I want to make sure I have the correct key in place. </div><div><br></div><div>Thank you clearing this up for me. </div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 14, 2018 at 4:37 PM, Andres Pavez <span dir="ltr"><<a href="mailto:andres.pavez@iana.org" target="_blank">andres.pavez@iana.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Warren,<br>
Thanks for your suggestion, it is something that we may considering including in the script section relating to key generation.<br>
<br>
Anyway, the current software that is used to generate keys (kskgen) ensure the use of a unique random label of the newly generated key.<br>
<br>
<a href="https://github.com/iana-org/dnssec-keytools/blob/master/kskgen/kskgen.c" rel="noreferrer" target="_blank">https://github.com/iana-org/<wbr>dnssec-keytools/blob/master/<wbr>kskgen/kskgen.c</a><br>
<br>
Thanks,<br>
<span class="HOEnZb"><font color="#888888">--<br>
Andres Pavez<br>
Cryptographic Key Manager<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On 2/14/18, 12:41, "ksk-rollover on behalf of Warren Kumari" <<a href="mailto:ksk-rollover-bounces@icann.org">ksk-rollover-bounces@icann.<wbr>org</a> on behalf of <a href="mailto:warren@kumari.net">warren@kumari.net</a>> wrote:<br>
<br>
Apologies if this isn't the right place to propose this - the<br>
ksk-ceremony list didn't feel right...<br>
<br>
I think that it would be a useful addition to the script to ensure<br>
that, when a new KSK is generated, it does not have the same Key ID as<br>
any previous KSKs. It is *does* have the same Key ID, it should be<br>
discarded and a new one generated.<br>
<br>
Rational: If we end up with multiple keys with the same Key ID it<br>
becomes very tricky to run things like RFC8145, KSK Sentinel, etc.<br>
Also, when doing troubleshooting / diagnostics, the key ID is an easy<br>
thing to use to differentiate keys.<br>
<br>
This has long been source of low level concern for me, and I've been<br>
assured that if there were collisions during the ceremony, the right<br>
thing would likely happen -- but I think that this is worth explicitly<br>
noting what happens.<br>
<br>
I *did* look at the scripts, and didn't see a note on this; 'pologies<br>
if it is already covered and I missed it.<br>
<br>
W<br>
--<br>
I don't think the execution is relevant when it was obviously a bad<br>
idea in the first place.<br>
This is like putting rabid weasels in your pants, and later expressing<br>
regret at having chosen those particular rabid weasels and that pair<br>
of pants.<br>
---maf<br>
______________________________<wbr>_________________<br>
ksk-rollover mailing list<br>
<a href="mailto:ksk-rollover@icann.org">ksk-rollover@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/ksk-rollover" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/ksk-rollover</a><br>
<br>
</div></div><br>______________________________<wbr>_________________<br>
ksk-rollover mailing list<br>
<a href="mailto:ksk-rollover@icann.org">ksk-rollover@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/ksk-rollover" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/<wbr>listinfo/ksk-rollover</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><br style="color:rgb(136,136,136)"></div><div dir="ltr" style="font-size:small"><span style="color:rgb(136,136,136)"><span style="background-image:initial;background-color:yellow;background-position:initial;background-repeat:initial">Sameka</span> S. McNeil </span></div><div dir="ltr" style="font-size:small"><span style="color:rgb(136,136,136)">Information Technology Specialist</span></div><span style="font-size:12.8px;color:rgb(136,136,136)">Phone: </span><a value="+13016285644" style="font-size:12.8px;color:rgb(17,85,204)">301.628.5644</a><span style="font-size:12.8px;color:rgb(136,136,136)"> </span><br style="font-size:12.8px;color:rgb(136,136,136)"><div dir="ltr"><span style="font-size:12.8px;color:rgb(136,136,136)">Cell: </span><a value="+12023609428" style="font-size:12.8px;color:rgb(17,85,204)">202.360.9428</a><span style="color:rgb(136,136,136)"> </span><br style="color:rgb(136,136,136)"><br></div></div></div></div></div></div></div>
</div>