[145350] in cryptography@c2.net mail archive
Re: Root Zone DNSSEC Deployment Technical Status Update
daemon@ATHENA.MIT.EDU (Jakob Schlyter)
Sat Jul 17 09:17:47 2010
From: Jakob Schlyter <jakob@kirei.se>
In-Reply-To: <4C409E0D.9040508@connotech.com>
Date: Sat, 17 Jul 2010 13:10:23 +0200
Cc: "Perry E. Metzger" <perry@piermont.com>,
cryptography@metzdowd.com
To: Thierry Moreau <thierry.moreau@connotech.com>
On 16 jul 2010, at 19.59, Thierry Moreau wrote:
> With what was called DURZ (Deliberately Unvalidatable Root Zone), you, =
security experts, has been trained to accept signature validation =
failures as false alarms by experts from reputable institutions.
Thierry, do you know of anyone that configured the DURZ DNSKEY and =
accepted the signature validation failure resulting because of this? We =
had good (documented) reasons for deploying the DURZ as we did, the =
deployment was successful and it is now all water under the bridge. =
Adding FUD at this time does not help.
> Auditing details are not yet public.
Yes, they are - see http://data.iana.org/ksk-ceremony/. If there is =
anything missing, please let me know.
> I am wondering specifically about the protections of the private key =
material between the first "key ceremony" and the second one. I didn't =
investigate these details since ICANN was in charge and promised full =
transparency. Moreover, my critiques were kind of counterproductive in =
face of the seemingly overwhelming confidence in advice from the =
Verisign experts. In the worse scenario, we would already have a KSK =
signature key on which a "suspected breach" qualification would be =
attached.
The key material was couriered between the Key Management Facilities by =
ICANN staff members. I'd be happy to make sure you get answers to any =
questions you may have regarding this handling.
> Is there an emergency KSK rollover strategy?
Yes, please read the DPS - https://www.iana.org/dnssec/icann-dps.txt.
jakob (member of the Root DNSSEC Design Team)
--
Jakob Schlyter
Kirei AB - http://www.kirei.se/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
