On Apr 5, 2020, at 2:05 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
A Flash Drive is inserted in Step 5 (Page 14). The KSR is on it.
It seems like the weakest link, btw.
Hi Michael, Sections 5.6 and 6.7 of the KSK operator DNSSEC Practice Statement explain how the KSR is transferred and verified: 5.6. Network Security Controls No part of the signer system making use of the HSM is connected to any communications network. Communication of ZSK key signing requests (KSR) from the Root Zone Maintainer/ZSK Operator is done using a TLS client-side authenticated web server connected to the RZ KSK Operator's production network. Transfer of a KSR from the web server to the signer system is performed manually using removable media (refer to Section 6.7 for further details on verification of the KSR). 6.7. Verification of zone signing key set Each key set within the Key Signing Request (KSR) is self-signed with the active key to provide proof of possession of the corresponding private key. The signer system will automatically validate this signature and perform checking of available parameters before accepting the KSR for signing. The RZ KSK Operator will verify the authenticity of the KSR document by performing an out-of-band verification (verbally over the phone, by fax, or any other available method) of the hash of the KSR, before entering the KSR into the signer system. The resulting Signed Key Response (SKR) is transferred back using the same TLS client-side authenticated connection used to receive the KSR from the Root Zone Maintainer.