[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)
steve at shinkuro.com
Mon Feb 6 14:35:56 EST 2012
For the record, I do not think a single solution is the right approach. Treating *every* key roll as a heavyweight emergency that requires manual intervention seems to me quite wrong. In band replacement of the KSK on an orderly basis is very useful for orderly operation over the long haul. The fork in the road here, it seems to me, is we either treat 5011 as a meaningful part of the DNSSEC deployment and operation, or we don't. If we do, then it needs to be tested.
Planning for emergency key changes is also important, and I fully support doing everything we can think of to handle such eventualities as smoothly as possible.
Conflating emergency, disruptive key changes with planned, non-disruptive key rolls seems like a substantial mistake to me.
On Feb 6, 2012, at 2:08 PM, David Conrad wrote:
> On Feb 6, 2012, at 9:45 AM, Steve Crocker wrote:
>> My point about 5011 is that it's a mandated part of the functionality and it's a certainty that we will roll the root KSK from time to time, so it seems to me obvious and necessary to make sure the 5011 key rollover process will actually work.
> While I'd agree that rolling the key needs to be a certainty and that we need to ensure the key rolling process works, I am struggling to see what benefit 5011-style key rolls provide since we can't rely on 5011-style rolls in worst case scenarios. I'll also admit given the implications of root key loss/compromise, some concern regarding the implied frequency of root key rolls if we're using root key rolls to debug resolver code.
>> In this post-911 era where organizations around the world take seriously being prepared for emergencies, perhaps what you are suggesting is we should practice emergency key rolls. Ok, let's do it. How soon?
> Just a sec, let me check my calendar. How does Tuesday after next work for you? :-)
> More seriously, before we can practice emergency key rolls, I suspect we first need to agree on parameters and mechanisms and come up with a test plan. According to the published roll over plan, we have 3.5 years so I'd think getting something done before that would be a good idea.
More information about the Dnssec-deployment