> On 11 May 2022, at 13:20, Anand Buddhdev wrote:
>
> Our main reason is that we do not have separate storage for the KSKs and
> ZSKs. They were all stored together on the signer. Additionally, our ECDSA
> KSKs and ZSKs were of the same size. Therefore, there is no additional
> protection o
On 11/05/2022 14:07, Jim Reid wrote:
Hi Jim,
Many thanks for the update Anand.
Could you give a bit more detail on why you decided to dump the
ZSKs? Was it just a matter of having fewer keys to manage and fewer moving
parts that could break?
Managing keys isn't an issue, since it is all aut
> On 11 May 2022, at 12:53, Anand Buddhdev wrote:
>
> On Tuesday 3 May, we performed a DNSSEC Key Signing Key (KSK) roll-over for
> all the zones that we maintain and sign. During this roll-over, we dropped
> the Zone Signing Keys (ZSKs), and began signing the zones with just their new
> KS
Dear colleagues,
On Tuesday 3 May, we performed a DNSSEC Key Signing Key (KSK) roll-over
for all the zones that we maintain and sign. During this roll-over, we
dropped the Zone Signing Keys (ZSKs), and began signing the zones with
just their new KSKs. Technically, these keys are the same as an
