[ksk-rollover] followup of DNSSEC Workshop at ICANN64
Keith Mitchell
keith at dns-oarc.net
Fri Mar 15 14:28:47 UTC 2019
On 3/14/19 12:38 PM, Michael Richardson wrote:
>> If keys are generated a few years in advance of going into active
>> use, there is plenty of time for them to be disseminated
>> beforehand. They do not have to be pre-published in the zone
>> (although that is what RFC 5011 was designed for); they can be
>> distributed out of band by software updates or other means. If
>> there are annual rollovers with keys generated N years in advance,
>> at any time there will be N pre-published keys one of which might
>> be pre-published in the zone, one active KSK in production, and
>> maybe one in retirement.
>
> Yes, I'd like to do that. I'd like N=10, and the roll-over frequency
> to be yearly.
The problem with generating that many keys out into the future is they
then become hostages to fortune should any issues arise during that
time-span with the integrity of those keys. e.g. a breach which causes
the private keys to be disclosed, flaws being discovered in the
algorithm in use, or the processes used to generate the keys, etc.
Which would likely mean a complete reset for new keys to be generated,
and a very large pile of baked-in pre-disseminated keys needing revoked.
The overall approach and annual rollover makes sense to me, but I think
care needs to be taken with the numbers proposed.
Keith
More information about the ksk-rollover
mailing list