[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)
drc at virtualized.org
Tue Feb 7 18:01:41 EST 2012
On Feb 7, 2012, at 2:25 PM, Steve Crocker wrote:
> I am under the strong impression that keys need to be changed every so often even if they haven't been compromised.
At a high level, I agree. However, I believe 'every so often' maps to every 5+ years or so. For calibration, what is your definition of 'every so often'.
> The requirements for storage, propagation of the new key, etc., etc., when there has not been a compromise are *significantly* less onerous than dealing with a compromise.
Could you expand on your assumptions here? From my perspective, in both cases, you'll need to:
- regenerate a root key using some sort of key ceremony
- store that key in a secure fashion
- propagate that key to every validator on the planet in a secure way
In the case of a compromise, you'll also have to take steps to try to ensure a compromise does not reoccur, but that is a modification of KSK administration, not a function of key rolling. I'm obviously missing something...
More information about the Dnssec-deployment