On 2009-10-07, at 16:25, Paul Hoffman wrote:
At 2:22 PM +0100 10/7/09, Joe Abley wrote:
From this perspective we might roll a ZSK more frequently than a
KSK because the ZSK needs to be stored on-line to facilitate re-
signing when the zone changes. With the KSK we have the option of
keeping it off-line, and arguably the risk of compromise is
consequently lower. Regular testing of the machinery is still
important, however.
Please define "on-line" and "off-line".
The ZSK is exercised every time the zone changes. For some zones this
is every few seconds. For the root zone it's twice per day. The
equipment that performs the signing operation might well need to make
use of the ZSK in an automated fashion, without human operators being
present. This scenario is what I meant by "on-line".
The KSK is exercised every time a signature over the apex DNSKEY RRSet
is required. This might be far more infrequent than the ZSK use
described above. If so, it might be plausible to store the KSK on a
device which has no network access and no power, in a secure facility,
and to make the use of it a manual operation involving procedures,
auditors, witnesses, etc. This is what I meant by "off-line".
I appreciate that there are other perfectly valid operational
approaches in which the KSK is also kept on-line.
In the deployments I have heard of, both types of keys are stored
with the same security procedures, but the ZSK might be stored in a
physically different location (or not). The operational aspects of
using the two keys are nearly identical.
Joe
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
