On 4/18/11 4:26 PM, "Joe Abley" <jab...@hopcount.ca> wrote:
>
>
> On 2011-04-18, at 15:01, George Barwood wrote:
>
>> I have a few comments.
>>
>> (1) It's my belief that almost all Zones except for the root zone should NOT
>> use a KSK/ZSK split.
>
> In practice, for a TLD zone operator, rolling a KSK is a more complicated and
> time-consuming process than rolling a ZSK. A ZSK roll can be achieved quickly,
> entirely using systems operated by the TLD operator, whilst a KSK roll
> necessarily involves review by external organisations which takes more time.
>
> (An emergency DS RRSet change for the root zone is required to be implemented
> within 48 hours of submission, assuming the request is well-formed. There have
> been no such requests to date so it is not possible to offer data on the
> actual time for implementation.)
>
> Where a KSK/ZSK split exists, the frequency of use of each key is not the same
> -- ZSKs are typically exercised more frequently (every time an RRSIG over any
> RRSet in the zone needs to be generated) than ZSKs (which only need to be
> exercised as part of a ZSK roll).
>
> I don't think it's unreasonable for these facts, as an inject to an
> appropriate threat analysis, to result in a recommendation to operate with a
> ZSK/KSK split -- such an arrangement facilitates different levels of
> protection for each key commensurate with the ease with which it might be
> rolled and the frequency with which it is required to be used.
>
> I'm not saying it's the only way to go, but I think recommending against the
> practice makes little sense.
+1
Eric
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
