Root Zone DNSSEC Deployment Technical Status Update

Jakob Schlyter jakob at kirei.se
Sat Jul 17 07:10:23 EDT 2010


On 16 jul 2010, at 19.59, Thierry Moreau wrote:

> With what was called DURZ (Deliberately Unvalidatable Root Zone), you, security experts, has been trained to accept signature validation failures as false alarms by experts from reputable institutions.

Thierry, do you know of anyone that configured the DURZ DNSKEY and accepted the signature validation failure resulting because of this? We had good (documented) reasons for deploying the DURZ as we did, the deployment was successful and it is now all water under the bridge. Adding FUD at this time does not help.


> Auditing details are not yet public.

Yes, they are - see http://data.iana.org/ksk-ceremony/. If there is anything missing, please let me know.


> I am wondering specifically about the protections of the private key material between the first "key ceremony" and the second one. I didn't investigate these details since ICANN was in charge and promised full transparency. Moreover, my critiques were kind of counterproductive in face of the seemingly overwhelming confidence in advice from the Verisign experts. In the worse scenario, we would already have a KSK signature key on which a "suspected breach" qualification would be attached.

The key material was couriered between the Key Management Facilities by ICANN staff members. I'd be happy to make sure you get answers to any questions you may have regarding this handling.


> Is there an emergency KSK rollover strategy?

Yes, please read the DPS - https://www.iana.org/dnssec/icann-dps.txt.


	jakob (member of the Root DNSSEC Design Team)

--
Jakob Schlyter
Kirei AB - http://www.kirei.se/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list