Doug Barton wrote:
Roy Arends wrote:
I find it worrying that folks intend to test or practice operational
procedures by doing it often on a live production system. What if that
test or practice fails? "Whoops, we were testing it on the live system,
we failed, good thing we called it a test"
There is also a risk involved by rolling keys over regularly. Especially
when the schedule is publicly announced. "If your attack fails, we will
have write access to the keystore _every month_, on the 1st, at exactly
3 am cest".
I fail to see the operational benefit of "Frequent Rollover Syndrome".
Roy,
I know you understand the concept that no matter how well you practice
something in the QA lab you're never really _sure_ it works till you
do it "in the wild." I think that at least in the early days of actual
DNSSEC deployment (which we have barely stepped into atm) it's very
reasonable to exercise all parts of the system now, under (relatively)
controlled conditions so that down the road if we reach a point where
we are forced to do an emergency key rollover on an "important" zone
we'll have some level of comfort (or at least know where to look for
things to break).
Down the road I tend to agree with you that "frequent" KSK rollover
will probably not have much benefit, but if I were administering a
zone for which DNSSEC was critical I'd probably do it once a year just
to keep all parts of the machine lubricated.
Doug - the key changes will want to be in accordance with corporate
policy for all identity token management and should be administered as
such. That generally means in audited company's a formal review once a
year or more often. Because of this and since the DNSSEC services will
become a key part of Internet presence management, these will also need
to be reviewed as part of any formal IT audit practice as well.
Todd Glassey (as an Auditor).
Doug
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.421 / Virus Database: 270.14.7/2421 - Release Date: 10/07/09 20:49:00
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
