Hi Michael, At 12:54 PM 04-04-2020, Michael Richardson wrote:
I was locating appropriate references for explaining Key signing ceremonies, and noticed the report of the safe problems at:
KSK Ceremony was held on February 15, 2020. There was an announcement at https://mm.icann.org/pipermail/root-dnssec-announce/2020/000125.html
and then the schedule at: https://www.iana.org/dnssec/ceremonies
in which April 23 is the next date. Will travel bans cause a problem? I kinda hope the travel bans are enforced.
I'll leave the above to PTI.
"Introduce HSM6E" Does this mean that a new HSM device will be added? I see RRSIG from keyid 20326 (current root) will expire 20200422000000. Maybe there is another RRSIG hidden away that I can't see?
The last SKR expires on July 7, 2020 at 00:00 (UTC).
https://www.iana.org/dnssec/icann-dps.txt I am unclear from reading things over again how the ZSK gets to the ceremony. Is a new ZSK keypair generated during the KSK, or is it generated elsewhere and only the public part brought?
Verisign generates a Key Signing Request. There is a sets of signed keys which are generated during a KSK Ceremony.
But, I started re-reading things because I was looking for pointers to documents *less* secure practices for CA key management. That's poor wording. let me try again: Practices for lower value assets than the KSK.
There may be some old documentation (it is around a decade ago) which might be of help to the alternatives which were considered. The requirements for the Root Zone are unique. I suggest assessing which of them you works for your case. Regards, S. Moonesamy