KSK, ZSK and registry data escrow

Peter Koch pk at DENIC.DE
Wed Aug 30 12:59:52 EDT 2006

Dear all,

looking at the proposed new registry agreements for ORG, BIZ and INFO (see
(http://www.icann.org/announcements/announcement-2-28jul06.htm>), with
precedent already set by others, there's language in there that requires the
public and private key material for KSKs and ZSKs be made subject to escrow.
Now, you have to trust your escrow provider to a certain extent anyway, so the
risk may be limited, but still I wonder what the purpose -- and trade-offs --
of this requirement are, especially since this is the only key material that
is explicitly mentioned.
Why would a 'successor registry' not start over with its own, new keys?


More information about the Dnssec-deployment mailing list