I was locating appropriate references for explaining Key signing ceremonies, and noticed the report of the safe problems at: https://www.theregister.co.uk/2020/02/13/iana_dnssec_ksk_delay/ https://www.icann.org/news/blog/root-key-signing-key-ceremony-postponed and then the schedule at: https://www.iana.org/dnssec/ceremonies in which April 23 is the next date. Will travel bans cause a problem? I kinda hope the travel bans are enforced. "Introduce HSM6E" Does this mean that a new HSM device will be added? I see RRSIG from keyid 20326 (current root) will expire 20200422000000. Maybe there is another RRSIG hidden away that I can't see? https://www.iana.org/dnssec/icann-dps.txt I am unclear from reading things over again how the ZSK gets to the ceremony. Is a new ZSK keypair generated during the KSK, or is it generated elsewhere and only the public part brought? But, I started re-reading things because I was looking for pointers to documents *less* secure practices for CA key management. That's poor wording. let me try again: Practices for lower value assets than the KSK. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-