[dns-operations] Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories
brettlists at gmail.com
Thu Feb 11 21:28:14 UTC 2010
On Mon, Feb 8, 2010 at 7:43 PM, Jay Daley <jay at nzrs.net.nz> wrote:
> On 8/02/2010, at 4:31 AM, Shane Kerr wrote:
>> I am wondering if we can also take something here to the reoccurring
>> debate about the utility of regular KSK rollovers.
>> In that debate, one argument is that since there is no cryptological
>> motivation for a KSK rollover, that these should be done only when the
>> KSK is possibly compromised. The other argument is that we need to do
>> regular rollovers so that when an emergency rollover is necessary it
>> will work.
>> This strikes me as indicating that even with regular rollovers, things
>> will still break. Which kind of supports the idea of rolling over only
>> in emergency, doesn't it? At least in that case you *might* never have
>> to go through the pain of making some domains go dark for some users....
> I have a lot of sympathy for this view but I still have some questions unresolved:
> 1. Is this pain if it happens, actually necessary to ensure that people learn to do things properly?
Well I think if you could be assured that people will learn from the
issue and it won't happen again then maybe but you can't really be
sure that somebody isn't going to make the same mistake again or
somebody else isn't going to make the same (or another) mistake.
> 2. Can a regular KSK rollover be scheduled to minimise the impact of the pain (in my TLD is certainly can because most of our registrants are in the same time zone) and would learning the lessons that way reduce the pain if any emergency KSK rollover were needed, which presumably could not be scheduled so?
I think a rollover of the KSK measured in 1-3 years is necessary to
ensure your key is not stale and at risk, but the process for doing
this roll needs to be rock solid and well practised on a beta system
that all of your operations staff have rolled lots of times. I think
you can have confidence the 'roll' will work without actually doing
the roll frequently as long as you have the correct systems and
training in place.
> 3. Do we need to apply "Rumsfield's Razor" (tm) to this problem - "There are known unknowns. That is to say, there are things that we now know we don’t know. But there are also unknown unknowns. These are things we do not know we don’t know." - and so be rolling KSKs in case they have been compromised but we just don't know about it?
I think so absolutely, with all the protection in the world how can
you be 100% sure that your key has not been compromised in some way
you hadn't possibly thought of and somebody is just sat there waiting
to use it.
More information about the dns-operations