On Tue, 18 Sep 2018, Dmitry Burkov wrote:
Do we really still need spliting KSK/ZSK?
Yes we do. The number of KSK private key access should be kept at a minimum and all of them audited. If you remove the split, any operations person can create secret ZSKs to be used in targeted attacks. It might be very unlikely but I think we need the insurance.
On 9/18/18 3:46 PM, Lars-Johan Liman wrote:
I think we should set an "intense" schedule (twice per year? once per year?) _beforehand_, to send the message that "there is no relief after this, there is only more pain ahead ... unless you automate!" to the DNS software community. There must be no way to hardcode the KSK in code. This will continue to be this painful until that message is received and understood.
I agree doing this annually would prevent hardcoding in software. I think that is a great discussion to start a week after this roll :) Paul