[dns-operations] .fr has 5 DNSKEYs

George Barwood george.barwood at blueyonder.co.uk
Tue May 31 09:14:21 UTC 2011

----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Stephane Bortzmeyer" <bortzmeyer at nic.fr>
Cc: "George Barwood" <george.barwood at blueyonder.co.uk>; <dns-operations at lists.dns-oarc.net>
Sent: Monday, May 30, 2011 9:07 PM
Subject: Re: [dns-operations] .fr has 5 DNSKEYs

> On Mon, 30 May 2011, Stephane Bortzmeyer wrote:
>> By the way, I forgot to explain the .FR configuration, sorry. We keep
>> a rescue key at all times. So the minimum number of keys is four (one
>> KSK, one rescue KSK, one ZSK, one rescue ZSK). During rollovers, there
>> is sometimes one more KSK or ZSK (and both if the rollovers happen to
>> overlap).
> Why would you need a "resue ZSK"? You can introduce any new ZSK at any
> time with zero notice provided your current KSK signs it. Is this
> something to do with HSMs in different locations?

I find the "rescue" keys hard to understand.
The underlying problem is to "keep a secret" ( the secret key ).
The "keep" part can be addressed by making enough independent backups.
If there are concerns about too many people knowing the secret, that can be addressed
by encryption / key splitting techniques ( as has been done for the root zone ).
The rescue keys feel a bit like doing your backup in public, not very elegant.
Maybe there are political reasons? Or maybe it's really a good design, 
but that seems contrary to intuition.


More information about the dns-operations mailing list