[Yeti DNS Discuss] *Another* update on Multiple ZSK (MZSK) experiment
shane at biigroup.cn
Wed Jan 27 21:02:51 UTC 2016
Based on discussions with my colleagues at BII there are some changes
to the proposed experiment.
The most important thing is probably that I'd like to propose actual
dates for the experiment, with it starting on 2016-02-08 and finishing
on 2016-04-01, which happens to be during the DNS-OARC meeting through
extreme coincidence. :)
On 2016-01-26 04:43:34+0800 (Tuesday)
Shane Kerr <shane at biigroup.cn> wrote:
This has been updated slightly.
First, we decided to introduce 5 new ZSK as the very first step. We'll
need to handle 6 ZSK in total for the worst-case test where we roll all
3 ZSK at the same time, so we may as well validate this right away.
Also, I have documented what fallback procedure we'll use if the
experiment fails at each step.
> I've also documented a possible version of the synchronization protocol
> for the experiment:
> In this version we do not share private keys. Instead, each DM operator
> makes its own ZSK. This necessitates some way of sharing RRSIG for
> those keys, which is also in the modified protocol. The changes are at
> the end of the document, although of course you can use GitHub to
> compare with the non-MZSK version of the document.
It turns out that I hadn't really though through the RRSIG
sharing. :( We'll have to manage that through some separate process,
which is undefined for now. That should be okay for the experiment and
in the mid-term since all of the DM have access to the private KSK
information. In the long term this won't work of course, but we'll need
some more elaborate mechanism.
More information about the discuss