To:
johani@autonomica.se (Johan Ihren)
Cc:
scottr@antd.nist.gov, olaf@ripe.net, bmanning@isi.edu, dnssec@cafax.se
From:
Bill Manning <bmanning@isi.edu>
Date:
Fri, 18 Oct 2002 11:49:16 -0700 (PDT)
In-Reply-To:
<2ciszzk2xj.fsf@snout.autonomica.net> from Johan Ihren at "Oct 18, 2 08:38:32 pm"
Sender:
owner-dnssec@cafax.se
Subject:
Re: root zone signing and key lengths/lifetimes
% "Scott Rose" <scottr@antd.nist.gov> writes: % % Hi Scott, % % I'm trying to catch up, sorry for being so late. % % > Mainly I was wondering why the draft set up frequency of key % > rollovers. Not that it's a huge technical problem. Although the % > human nature side of me is reminded that the more frequent the % > operation, the more frequent human error creeps in. % % Furthermore I'd much prefer to force a certain beat to the rollovers % to get experience with the mechanism and whether it works or not. % % To have the first ever rollover of the root key 12 or 18 months into a % possible large scale DNSSEC deployment (if there will ever be such a % thing) is a rather scary concept to me. % % Johan Not that this is germaine to most of the folks on this list but there is a little testbed that is investigating key mgmt in the context of DNSSEC/DS. The testbed has rolled the root key three times in six weeks (mostly due to things like making the mistakes of using the mandatory to implement (DSA), then the fact the default RSA is MD5. We are now at RSA/SHA1 with an "fat" key size. The expectation is to roll a new key on about that schedule. Key rollover is problematic, esp from the point of view of the endsystem since the current technology requires replacing all the distributed copies of the key. :( (see previous Bush/Andrews thread on possible ways around this problem) --bill