Update on Hardware Security Modules and Rollover Plans for the Root Zone KSK
18 July 2023
In April we announced that the manufacturer of our hardware security modules (HSMs) used to securely store the Root Zone Key Signing Key will cease production of the devices.
As noted in that communication, we continued with our previously announced plans to begin the first phases of a KSK rollover. We generated a new KSK at the KSK Ceremony 49 in April, and plan to replicate the KSK to the second facility in the upcoming KSK Ceremony 50 this week.
In the past few months we've procured Keyper HSMs to both meet our replacement schedule and provide additional spare units. We've been engaging HSM manufacturers to identify a new vendor and collaborating with our root zone management partner, Verisign, who is also impacted in relation to management of the root zone ZSK. The operational considerations for the ZSK differ from the KSK, particularly given the need for online day-to-day signing, but the security of the root zone relies on the robustness of all of these parts.
In light of the uncertainty surrounding the future configuration of the HSMs, we have decided to not immediately update the root zone trust anchor files with the digest of KSK-2023 immediately following Ceremony 50. There is a strong likelihood we will seek to generate a new KSK on a new HSM platform once operationalized, which will cause us to abandon the recently generated KSK. We will however retain the recently generated KSK for now should those plans not pan out in a suitable time frame.
Potential options are being actively evaluated, and we expect to have developed a preferred remediation approach in the coming months. While we don't have all the answers at this time, we encourage questions and feedback from trusted community representatives and other interested observers. This input will help inform our future planning.