[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)

David Conrad drc at virtualized.org
Tue Feb 7 18:01:41 EST 2012


Steve,

On Feb 7, 2012, at 2:25 PM, Steve Crocker wrote:
> I am under the strong impression that keys need to be changed every so often even if they haven't been compromised.  

At a high level, I agree.  However, I believe 'every so often' maps to every 5+ years or so. For calibration, what is your definition of 'every so often'.

> The requirements for storage, propagation of the new key, etc., etc., when there has not been a compromise are *significantly* less onerous than dealing with a compromise.  

Could you expand on your assumptions here?  From my perspective, in both cases, you'll need to:

- regenerate a root key using some sort of key ceremony
- store that key in a secure fashion
- propagate that key to every validator on the planet in a secure way

In the case of a compromise, you'll also have to take steps to try to ensure a compromise does not reoccur, but that is a modification of KSK administration, not a function of key rolling. I'm obviously missing something...

Regards,
-drc



More information about the Dnssec-deployment mailing list