This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] RIPE NCC DNS operations update

Previous message (by thread): [dns-wg] RIPE NCC DNS operations update
Next message (by thread): [dns-wg] RIPE NCC DNS operations update

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Anand Buddhdev anandb at ripe.net
Wed May 11 14:20:08 CEST 2022

On 11/05/2022 14:07, Jim Reid wrote:

Hi Jim,

> Many thanks for the update Anand.
> 
> Could you give a bit more detail on why you decided to dump the
> ZSKs?  Was it just a matter of having fewer keys to manage and fewer moving
> parts that could break?

Managing keys isn't an issue, since it is all automated by the signer.

Our main reason is that we do not have separate storage for the KSKs and 
ZSKs. They were all stored together on the signer. Additionally, our 
ECDSA KSKs and ZSKs were of the same size. Therefore, there is no 
additional protection offered by separating them, and so it is 
reasonable to use a CSK.

Regards,
Anand Buddhdev
RIPE NCC

Previous message (by thread): [dns-wg] RIPE NCC DNS operations update
Next message (by thread): [dns-wg] RIPE NCC DNS operations update

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]