+1 to both of Paul’s points. 1- splitting the keys is good 2- rolling (semi)anually seems a good thing too, prevents people from becoming complacent On 18 Sep 2018, at 11:22, Paul Wouters wrote:
On Tue, 18 Sep 2018, Dmitry Burkov wrote:
Do we really still need spliting KSK/ZSK?
Yes we do. The number of KSK private key access should be kept at a minimum and all of them audited. If you remove the split, any operations person can create secret ZSKs to be used in targeted attacks. It might be very unlikely but I think we need the insurance.
On 9/18/18 3:46 PM, Lars-Johan Liman wrote:
I think we should set an "intense" schedule (twice per year? once per year?) _beforehand_, to send the message that "there is no relief after this, there is only more pain ahead ... unless you automate!" to the DNS software community. There must be no way to hardcode the KSK in code. This will continue to be this painful until that message is received and understood.
I agree doing this annually would prevent hardcoding in software. I think that is a great discussion to start a week after this roll :)
Paul _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover