Root Zone KSK: After 5 years - PowerPoint Presentation

1. Root Zone KSK: After 5 yearsElise Gerich | APNIC 40 | September 2015

2. Where are we todayRoll (change) the Root Key Signing Key (KSK) Getting to a plan Agenda

3. Root Zone KSK (Key Signing Key)The trust anchor in the DNSSEC hierarchyHas been in operation since June 2010Root Zone PartnersICANNVerisignUSG Dept of Commerce NTIA"After 5 years of operation"Created Design Team to propose plan for rollover of root KSKTarget for delivery of plan in fall of 2015Where are we today

4. Design Team MembersVolunteer Team MembersJoe AbleyJohn DickinsonOndrej SuryYoshiro YoneyaJaap AkkerhuisGeoff HustonPaul WoutersRoot Zone Partners

5. What is …KSKKey-Signing Key signs DNSKEY RR setRoot Zone KSKPublic key in DNS Validator Trust Anchor setsCopied everywhere - "configuration data"Private key used only inside Hardware Security Module (HSM)Impact of root KSK rolloverLarge impact on those validatingA new root KSK has to be updated everywhereOther KSK rolls inform the parent (or DLV)Mitigated by RFC5011's trust anchor management

6. Planning ApproachCurrent Volunteer Design TeamStudy, discussion through JulyPresent draft report for ICANN Public Commenthttps://www.icann.org/public-comments/root-ksk-2015-08-06-enPresent final report ~ one month after Public Comment Period closes

7. Feedback WelcomeInput to the Public Commenthttps://www.icann.org/public-comments/root-ksk-2015-08-06-enInput to Design Team MembersInput during Q&A after Geoff’s presentation

8. Thank you!