[dns-operations] [Ext] Re: why root-servers only sign DNSKEY(257) RRSIG ?

Edward Lewis edward.lewis at icann.org
Tue Nov 28 22:59:11 UTC 2017

On 11/27/17, 10:04, "dns-operations on behalf of wbrown at e1b.org" <dns-operations-bounces at dns-oarc.net on behalf of wbrown at e1b.org> wrote:

>Isn't this actually best practice for non-root operators as well, keeping the KSK separated from the KSK operates?

As far as a general "best practice" I'd say no.

When there's a single operator responsible for a zone, having separate facilities or even equipment for the KSK and ZSK is overkill.  Whether the KSK or the ZSK is compromised, any secure chain involving the two keys is vulnerable.  (In the sense that "a chain is only as strong as its weakest link".)

With the advent of automated submission of DS record material, splitting the key roles into zone-signing and key-signing is not really the best practice despite being the entrenched practice.

If one wanted to streamline their operations, use a "common signing key" structure, having the same key used to make DS records sign all the zone data.

The root zone is an odd-ball.  There's no DS record published for it, so the common signing key approach isn't workable.  And with the sensitivity over the root zone, there's been a desire to have two completely different sets of eyes (operators) watch over it, enforced, in a sense, by splitting the KSK and ZSK functions.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4586 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20171128/20a6e122/attachment.bin>

More information about the dns-operations mailing list