Hi, ICANN announced that IANA planed to start pre-publish the new KSK in the DNS in January 2024, but I haven't found it in the root zone yet. Does anyone know the current status? ICANN Announces Schedule to Generate New Keys for KSK Key Rollover https://www.icann.org/en/announcements/details/icann-announces-schedule-to-g... -- Yasuhiro 'Orange' Morishita <yasuhiro@jprs.co.jp>
Wasn’t this postponed to happen with the change of the HSM ? —Alain
On 8 Feb 2024, at 09:35, Yasuhiro Orange Morishita / 森下泰宏 via ksk-rollover <ksk-rollover@icann.org> wrote:
Hi,
ICANN announced that IANA planed to start pre-publish the new KSK in the DNS in January 2024, but I haven't found it in the root zone yet. Does anyone know the current status?
ICANN Announces Schedule to Generate New Keys for KSK Key Rollover https://www.icann.org/en/announcements/details/icann-announces-schedule-to-g...
-- Yasuhiro 'Orange' Morishita <yasuhiro@jprs.co.jp> _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Quoting Yasuhiro Orange Morishita / 森下泰宏 via ksk-rollover on Thursday February 08, 2024:
ICANN announced that IANA planed to start pre-publish the new KSK in the DNS in January 2024, but I haven't found it in the root zone yet. Does anyone know the current status?
The new Root Zone KSK we generated last year has effectively been abandoned. After it was generated, we learned that the hardware security modules we use are being discontinued by the manufacturer without a successor. Since the keys are not exportable, it didn't make sense to keep using it if we were going to change hardware. We undertook an exercise to identify an alternative HSM manufacturer, and it is planned the next Root Zone KSK will be generated on this new hardware in April. See https://www.iana.org/news/2023/update-on-hsms-and-rollover-plans-for-root-zo... for more information. kim
Just for curiosity, what's the new HSM platform? Thanks - Mike On 2/8/2024 10:32 AM, Kim Davies via ksk-rollover wrote:
Quoting Yasuhiro Orange Morishita / 森下泰宏 via ksk-rollover on Thursday February 08, 2024:
ICANN announced that IANA planed to start pre-publish the new KSK in the DNS in January 2024, but I haven't found it in the root zone yet. Does anyone know the current status? The new Root Zone KSK we generated last year has effectively been abandoned. After it was generated, we learned that the hardware security modules we use are being discontinued by the manufacturer without a successor. Since the keys are not exportable, it didn't make sense to keep using it if we were going to change hardware. We undertook an exercise to identify an alternative HSM manufacturer, and it is planned the next Root Zone KSK will be generated on this new hardware in April.
See https://www.iana.org/news/2023/update-on-hsms-and-rollover-plans-for-root-zo... for more information.
kim
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
Michael StJohns via ksk-rollover <ksk-rollover@icann.org> wrote: > Just for curiosity, what's the new HSM platform? same question, and... how do we/you know it won't happen again? -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
We will be moving to the Thales Luna USB G7 HSMs. Information regarding its selection and the impact on policies and procedures will be published in the coming weeks. I'll share the announcement on this list once published. Thales as a reputable and established vendor whose products we expect to see supported long term. I anticipate the procedures coming out of this change will form a baseline response should we need to change HSM vendors again. Thanks, James On 2/8/24, 3:13 PM, "ksk-rollover on behalf of Michael Richardson via ksk-rollover" <ksk-rollover-bounces@icann.org <mailto:ksk-rollover-bounces@icann.org> on behalf of ksk-rollover@icann.org <mailto:ksk-rollover@icann.org>> wrote: Michael StJohns via ksk-rollover <ksk-rollover@icann.org <mailto:ksk-rollover@icann.org>> wrote:
Just for curiosity, what's the new HSM platform?
same question, and... how do we/you know it won't happen again? -- Michael Richardson <mcr+IETF@sandelman.ca <mailto:mcr+IETF@sandelman.ca>> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
Hi folks, Thank you for replies. I understand the current situation.
We undertook an exercise to identify an alternative HSM manufacturer, and it is planned the next Root Zone KSK will be generated on this new hardware in April.
-- Yasuhiro 'Orange' Morishita <yasuhiro@jprs.co.jp> From: James Mitchell via ksk-rollover <ksk-rollover@icann.org> Subject: Re: [ksk-rollover] new KSK in the DNS Date: Fri, 9 Feb 2024 06:32:34 +0000
We will be moving to the Thales Luna USB G7 HSMs. Information regarding its selection and the impact on policies and procedures will be published in the coming weeks. I'll share the announcement on this list once published.
Thales as a reputable and established vendor whose products we expect to see supported long term. I anticipate the procedures coming out of this change will form a baseline response should we need to change HSM vendors again.
Thanks, James
On 2/8/24, 3:13 PM, "ksk-rollover on behalf of Michael Richardson via ksk-rollover" <ksk-rollover-bounces@icann.org <mailto:ksk-rollover-bounces@icann.org> on behalf of ksk-rollover@icann.org <mailto:ksk-rollover@icann.org>> wrote:
Michael StJohns via ksk-rollover <ksk-rollover@icann.org <mailto:ksk-rollover@icann.org>> wrote:
Just for curiosity, what's the new HSM platform?
same question, and... how do we/you know it won't happen again?
-- Michael Richardson <mcr+IETF@sandelman.ca <mailto:mcr+IETF@sandelman.ca>> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://mm.icann.org/mailman/listinfo/ksk-rollover
_______________________________________________ By submitting your personal data, you consent to the processing of your personal data for purposes of subscribing to this mailing list accordance with the ICANN Privacy Policy (https://www.icann.org/privacy/policy) and the website Terms of Service (https://www.icann.org/privacy/tos). You can visit the Mailman link above to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on.
participants (6)
-
ALAIN AINA -
James Mitchell -
Kim Davies -
Michael Richardson -
Michael StJohns -
Yasuhiro Orange Morishita / 森下泰宏