[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)

Tony Finch dot at dotat.at
Tue Feb 7 10:32:17 EST 2012

Joe Abley <joe.abley at icann.org> wrote:
> I just thought I'd mention the other obvious option, as we're
> considering changes to the processes documented in the DPS, which is to
> make a conscious decision never to roll the KSK unless it is believed to
> be compromised.
> That approach would obviate the need for planned key rollover support
> (such as that specified in RFC 5011) in validators, if we assume that a
> key compromise is serious enough to warrant a KSK roll which is too
> rapid for 5011. The bootstrapping requirement would remain.

What concerns me about the current bootstrapping mechanism is that it
doesn't solve the problem of emergency key rollover: it just moves it
from the root to the bootstrap key. And the management of the bootstrap
key is much less well specified than the root key.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
South German Bight, Humber: Easterly or northeasterly 4 or 5, increasing 6 at
times. Moderate. Wintry showers. Moderate or good, slight icing near european

More information about the Dnssec-deployment mailing list