Sorry you are right. Reread it as “minimize people with access to the most top level key as much as possible”. Sent from my phone
On Sep 18, 2018, at 11:18, Dmitry Burkov <dvburk@gmail.com> wrote:
Paul,
not sure that I understood you.
I told about the case when we will have one key - but you again mentioned KSK and ZSK
Or - please - correct the terminology for this case
Dima
On 9/18/18 5:22 PM, Paul Wouters wrote:
On Tue, 18 Sep 2018, Dmitry Burkov wrote:
Do we really still need spliting KSK/ZSK?
Yes we do. The number of KSK private key access should be kept at a minimum and all of them audited. If you remove the split, any operations person can create secret ZSKs to be used in targeted attacks. It might be very unlikely but I think we need the insurance.
On 9/18/18 3:46 PM, Lars-Johan Liman wrote:
I think we should set an "intense" schedule (twice per year? once per year?) _beforehand_, to send the message that "there is no relief after this, there is only more pain ahead ... unless you automate!" to the DNS software community. There must be no way to hardcode the KSK in code. This will continue to be this painful until that message is received and understood.
I agree doing this annually would prevent hardcoding in software. I think that is a great discussion to start a week after this roll :)
Paul