On 9/21/2014 3:17 PM, Paul Hoffman wrote:
On Sep 21, 2014, at 8:41 AM, Joe Abley <jabley@hopcount.ca> wrote:
One way that an emergency roll is different from a planned roll is that a planned roll can make use of existing non-compromised KSKs and their corresponding trust anchors, whereas an emergency roll (where the emergency is a consequence of a key compromise) might not have that luxury. Just a placeholder here, but one that some people care about:
A planned rollover could turn into an emergency rollover during the ceremony if it is discovered that the signing hardware for the current key (or all the current keys, if there are more than one) cannot be used.
I had to read this a few times to get what I think you meant. Specifically, if a) a signature is expiring over one of the groups of keys in the trust chain, and b) the hardware breaks so that the signature will expire before you can do the resigning, then c) it's an emergency. I'm stating it that way because keys don't actually have a defined EOL, so whether we're in an emergency situation or not is tied to signature expiration rather than the time you're trying to do the re-sign. In the above scenario you have the time between your attempt and the signature expiration to recover the keys and complete the signature. It's an internally triggered event that if completed successfully, has no external implications. If you're unable to resign the root DNSKEY RRSet in time with one of the keys in the root trust anchor set, then its not actually an emergency rollover (keys aren't compromised, no one else can use them for faking data in the zone), but a failure of process. The question is then how do you recover/reboot your trust anchor set so you can reestablish a chain of trust. I think they're two very different things to consider. Mike
You can't tell if signing hardware that is not being used (because it purposely offline, maybe in a safe) will be usable until you try.
--Paul Hoffman _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover