[Dnssec-deployment] Root key rolling (was NIST guidance as to DNSSEC and others)
Sebastian Castro
sebastian at nzrs.net.nz
Wed Feb 8 20:19:19 EST 2012
On 09/02/12 14:04, Phil Regnauld wrote:
> Michael StJohns (mstjohns) writes:
>>
>> With respect to the "low risk of compromise" - hah! Something will go wrong. At some point. You will need to change keys. And it may not be for reasons of compromise. (As an aside, what's the contingency plan for when the current HSM vendor goes out of business?)
>
> Side note: .NZ has just announced that they would temporarily be going
> insecure to resolve the issue of a glitch in the current key format:
>
> http://list.waikato.ac.nz/pipermail/nznog/2012-February/018827.html
>
> See https://lists.dns-oarc.net/pipermail/dns-operations/2012-January/007967.html
Thanks Phil for sharing this. I avoided to send that to this list to
reduce the noise...
>
> So yeah, bad stuff does happen and can leave you between a rock and hard
> place. In this case it was OpenDNSSEC, but it could well have been a buggy
> HSM with no more vendor support.
Cof, cof... anyone said SCA6000? Some TLD operators are preparing to
switch from the Sun Card to a different HSM provider due to that. So
it's not a theoretical case.
>
> Now back to our regularly schedules discussion on key rolling.
Cheers,
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Dnssec-deployment
mailing list