Thanks again for a yet another great DNSSEC workshop in Kobe! Let me chime in and recap what I said at the meeting. I’m for regular rolling of the root KSK. Less than 5 years, which is too long to keep institutional and operational memory, but no more than every year, which would just be too much churn. Since we’re not in any hurry, I would use some time to look more into the strange increases we’ve seen, but it is not something that keeps me up at night. With regards to online standby keys, it needs to be seen in a holistic way. What threats or scenarios are those keys trying to mitigate? Do they actually provide the security we think they do? E.g. if the active and standby keys are generated in the same HSM, it is no protection from an HSM compromise. What new vulnerabilities do published standby keys pose? With all the lessons learned since 2010, let’s go back to defining the problem we’re trying to solve, rather than having standby keys as a solution looking for a problem. Med venlig hilsen / Best regards Erwin Lansing Head of Security & Chief Technologist [cid:image001.png@01D407D6.ABC8B400][cid:image008.png@01D407D6.CD80C0B0]<https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster><https://www.facebook.com/dkhostmaster> <https://www.facebook.com/dkhostmaster> [cid:image009.png@01D407D6.CD80C0B0] <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <https://www.linkedin.com/company/dk-hostmaster-as> <http://www.internetdagen.dk/>DK Hostmaster A/S • Ørestads Boulevard 108, 11. sal • 2300 København S +45 2980 9214 • erwin@dk-hostmaster.dk • www.dk<http://www.dk>-hostmaster.dk<http://hostmaster.dk> [cid:image007.png@01D407D6.ABC8B400] This is an email from DK Hostmaster A/S. This message may contain confidential information and is intended solely for the use of the intended addressee. If you are not the intended addressee, please notify the sender immediately and delete this e-mail from your system. On 21 Mar 2019, at 14.42, Jacques Latour <Jacques.Latour@cira.ca<mailto:Jacques.Latour@cira.ca>> wrote: As I also stated in the DNSSEC workshop, I support a regular root KSK rollover, annually but not longer than two years, we need to develop muscle memory to rollover the key. Also, if the removal of the old key tomorrow is non eventful then I think it would be worthwhile to roll the key in 6 months while our memory is still fresh, this may force the one who manually update to use automated mechanisms. As for the unexpected increased DNSKEY query results, as I said, it looks very interesting but if there were real users or applications problems behind it then they would be been fix by now, and in my view the increase is probably not end-user / application impacting. Just plain old hardcoding ;-) Jacques -----Original Message----- From: ksk-rollover <ksk-rollover-bounces@icann.org<mailto:ksk-rollover-bounces@icann.org>> On Behalf Of Yoshiro YONEYA Sent: March 13, 2019 5:33 PM To: ksk-rollover@icann.org<mailto:ksk-rollover@icann.org> Subject: [ksk-rollover] followup of DNSSEC Workshop at ICANN64 Hi all, During DNSSEC Workshop at ICANN64, there were discussion regarding future KSK rollover. https://64.schedule.icann.org/meetings/961939 This is followup what I said. I support regular Root Zone KSK Rollover for operational maturity and DNS software matulity. The importance is doing regulary. Frequency may be once per 2-3 years, less than 5 years. -- Yoshiro YONEYA _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org<mailto:ksk-rollover@icann.org> https://mm.icann.org/mailman/listinfo/ksk-rollover
