<<<
Chronological Index
>>> <<<
Thread Index
>>>
Supplemental comments on Root Zone KSK Rollover
- To: comments-root-zone-consultation-08mar13@xxxxxxxxx
- Subject: Supplemental comments on Root Zone KSK Rollover
- From: Thierry Moreau <thierry.moreau@xxxxxxxxxxxxx>
- Date: Fri, 12 Apr 2013 10:35:46 -0400
Dear ICANN staff members:
Given that the ISOC comment on the KSK rollover provides a clear
articulation of the rationales for a proactive root KSK rollover program
by ICANN, I see the need to provide an additional comment on the issue.
The arguments in my earlier comment are on the record and they are in
many respects opposing the ISOC rationale elements.
The perspective of a successful root KSK rollover program is envisioned
by ISOC in these terms:
"The end result of this initial period is that rolling the root zone KSK
should become a routine operation that is regularly executed by ICANN
without any impacts to the DNS and to DNSSEC validation. At the point
that it becomes routine ICANN will then be ready to perform an
unscheduled root zone KSK rollover should such an event ever become
required."
In a security analysis with a key management focus, the new context
would see a shift of the single point of failure from the DNS root KSK
private key components to whatever private cryptographic key material
(e.g. a standby private key component) would be required for performing
a legitimate rollover operation. In the same line of thoughts as in my
previous comment, I doubt the Internet community actually benefits from
this mere shifting of focus for operational security measures
surrounding a system-wide master key.
--
- Thierry Moreau
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|