Thanks again for a yet another great DNSSEC workshop in Kobe!

Let me chime in and recap what I said at the meeting.  I’m for regular rolling of the root KSK. Less than 5 years, which is too long to keep institutional and operational memory, but no more than every year, which would just be too much churn.  Since we’re not in any hurry, I would use some time to look more into the strange increases we’ve seen, but it is not something that keeps me up at night.

With regards to online standby keys, it needs to be seen in a holistic way. What threats or scenarios are those keys trying to mitigate?  Do they actually provide the security we think they do? E.g. if the active and standby keys are generated in the same HSM, it is no protection from an HSM compromise. What new vulnerabilities do published standby keys pose? With all the lessons learned since 2010, let’s go back to defining the problem we’re trying to solve, rather than having standby keys as a solution looking for a problem.


Med venlig hilsen / Best regards
 
Erwin Lansing
Head of Security & Chief Technologist


  
 
DK Hostmaster A/S  Ørestads Boulevard 108, 11. sal  2300 København S
+45 2980 9214   erwin@dk-hostmaster.dk  www.dk-hostmaster.dk

 
This is an email from DK Hostmaster A/S. This message may contain confidential information and is intended solely for the use of the intended addressee. If you are not the intended addressee, please notify the sender immediately and delete this e-mail from your system.

On 21 Mar 2019, at 14.42, Jacques Latour <Jacques.Latour@cira.ca> wrote:

As I also stated in the DNSSEC workshop, I support a regular root KSK rollover, annually but not longer than two years, we need to develop muscle memory to rollover the key.  Also, if the removal of the old key tomorrow is non eventful then I think it would be worthwhile to roll the key in 6 months while our memory is still fresh, this may force the one who manually update to use automated mechanisms.

As for the unexpected increased DNSKEY query results, as I said, it looks very interesting but if there were real users or applications problems behind it then they would be been fix by now, and in my view the increase is probably not end-user / application impacting.  Just plain old hardcoding ;-)

Jacques



-----Original Message-----
From: ksk-rollover <ksk-rollover-bounces@icann.org> On Behalf Of Yoshiro
YONEYA
Sent: March 13, 2019 5:33 PM
To: ksk-rollover@icann.org
Subject: [ksk-rollover] followup of DNSSEC Workshop at ICANN64

Hi all,

During DNSSEC Workshop at ICANN64, there were discussion regarding future
KSK rollover.

https://64.schedule.icann.org/meetings/961939

This is followup what I said.

I support regular Root Zone KSK Rollover for operational maturity and DNS
software matulity.
The importance is doing regulary.  Frequency may be once per 2-3 years, less
than 5 years.

--
Yoshiro YONEYA

_______________________________________________
ksk-rollover mailing list
ksk-rollover@icann.org
https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________
ksk-rollover mailing list
ksk-rollover@icann.org
https://mm.icann.org/mailman/listinfo/ksk-rollover