SAC063 - SSAC Advisory on DNSSEC Key Rollover in the Root Zone
Venue
ICANN Security and Stability Advisory Committee (SSAC) Reports and Advisories, ICANN (2013)
Publication Year
2013
Authors
Warren Kumari, Russ Mundy, Matt Larson, Jaap Akkerhuis
BibTeX
Abstract
There is consensus in the security and domain name system (DNS) communities that
the root zone DNS Security Extensions (DNSSEC) system poses unique challenges for
standard DNSSEC practices. While there is agreement that an eventual root zone
Key-Signing Key (KSK) rollover is inevitable regardless of whether that rollover is
caused by a key compromise or other factors, there is no solid consensus in the
technical community regarding the frequency of routine, scheduled KSK rollovers. In
this Advisory the SSAC addresses the following topics: * Terminology and
definitions relating to DNSSEC key rollover in the root zone; * Key management in
the root zone; * Motivations for root zone KSK rollover; * Risks associated with
root zone KSK rollover; * Available mechanisms for root zone KSK rollover; * DNS
response size considerations; * Quantifying the risk of failed trust anchor update;
and * DNS response size considerations
