[ksk-rollover] ICANN board meeting result and the Current status of KSK-Rollover
Paul Wouters
paul at nohats.ca
Tue Sep 18 14:22:39 UTC 2018
On Tue, 18 Sep 2018, Dmitry Burkov wrote:
> Do we really still need spliting KSK/ZSK?
Yes we do. The number of KSK private key access should be kept at a
minimum and all of them audited. If you remove the split, any operations
person can create secret ZSKs to be used in targeted attacks. It might
be very unlikely but I think we need the insurance.
> On 9/18/18 3:46 PM, Lars-Johan Liman wrote:
>> I think we should set an "intense" schedule (twice per year? once per
>> year?) _beforehand_, to send the message that "there is no relief after
>> this, there is only more pain ahead ... unless you automate!" to the DNS
>> software community. There must be no way to hardcode the KSK in code.
>> This will continue to be this painful until that message is received and
>> understood.
I agree doing this annually would prevent hardcoding in software. I
think that is a great discussion to start a week after this roll :)
Paul
More information about the ksk-rollover
mailing list