ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Key Kept A-Rollin

  • To: "comments-root-zone-consultation-08mar13@xxxxxxxxx" <comments-root-zone-consultation-08mar13@xxxxxxxxx>
  • Subject: Key Kept A-Rollin
  • From: Ralf Weber <Ralf.Weber@xxxxxxxxxxx>
  • Date: Thu, 11 Apr 2013 07:21:31 +0000


As the time has changed from 2009 when the root key was introduced great care 
has to be taken for rolling it. There now is considerable deployment both on 
the authoritative side as well as the recursive side validating. As failures in 
the rollout will have a huge impact on validator clients and there really isn't 
a mitigation strategy for failures at the root. I think there should be a 
public test of a rollover on a separate infrastructure. 

Such a setup was sort of available before the initial rollout where there was 
an ICANN server that had a signed root with delegations that one could 
configured as the root in it's server. As most if not all recursive server 
implementations allow to configure different root hints from the ones supplied 
with it setting up a special test setup to do one or more root KSK rollovers 
should be possible. As vendors also have implemented tools to get the trust 
anchor based on draft-jabley-dnssec-trust-anchor ( 
http://tools.ietf.org/html/draft-jabley-dnssec-trust-anchor ) setting up a test 
setup for this would be a good idea also.

While this test might not catch all errors (especially the ones with stale 
hard/software) there is a range of possible failures this setup would catch 
that IMHO makes it worth pursuing it. And given that most people interested in 
DNSSE are hanging around the IETF, ICANN or a small number of other DNSSEC or 
DNS related groups/mailing lists I don't think it will be difficult to get 
large enough group to make the test useful.

Once all is good in the test setup there should be couple of KSK rolls over a 
shorter than normal period. How often and how frequent I don't have a 
particular preferences other than the count should be greater than 1 and the 
frequency more than 3 months and less than two years. What is important though 
is that all the problems that are encountered during either the test or real 
KSK rollovers will be documented in a public available document (e.g 
informational IETF draft), so that future implementers/operators can learn from 

So long
Ralf Weber
Senior Infrastructure Architect
Nominum Inc.
2000 Seaport Blvd. Suite 400 
Redwood City, California 94063

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy