On 2011-04-18, at 15:01, George Barwood wrote: > I have a few comments. > > (1) It's my belief that almost all Zones except for the root zone should NOT > use a KSK/ZSK split.
In practice, for a TLD zone operator, rolling a KSK is a more complicated and time-consuming process than rolling a ZSK. A ZSK roll can be achieved quickly, entirely using systems operated by the TLD operator, whilst a KSK roll necessarily involves review by external organisations which takes more time. (An emergency DS RRSet change for the root zone is required to be implemented within 48 hours of submission, assuming the request is well-formed. There have been no such requests to date so it is not possible to offer data on the actual time for implementation.) Where a KSK/ZSK split exists, the frequency of use of each key is not the same -- ZSKs are typically exercised more frequently (every time an RRSIG over any RRSet in the zone needs to be generated) than ZSKs (which only need to be exercised as part of a ZSK roll). I don't think it's unreasonable for these facts, as an inject to an appropriate threat analysis, to result in a recommendation to operate with a ZSK/KSK split -- such an arrangement facilitates different levels of protection for each key commensurate with the ease with which it might be rolled and the frequency with which it is required to be used. I'm not saying it's the only way to go, but I think recommending against the practice makes little sense. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
