On 11/05/2022 14:07, Jim Reid wrote:
Hi Jim,
Many thanks for the update Anand.
Could you give a bit more detail on why you decided to dump the
ZSKs? Was it just a matter of having fewer keys to manage and fewer moving
parts that could break?
Managing keys isn't an issue, since it is all automated by the signer.
Our main reason is that we do not have separate storage for the KSKs and
ZSKs. They were all stored together on the signer. Additionally, our
ECDSA KSKs and ZSKs were of the same size. Therefore, there is no
additional protection offered by separating them, and so it is
reasonable to use a CSK.
Regards,
Anand Buddhdev
RIPE NCC
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/dns-wg
