.gov DNSSEC operational message
mlarson at verisign.com
Sun Dec 26 11:07:03 CST 2010
On Thu, 23 Dec 2010, Jay Ashworth wrote:
> > From: "Matt Larson" <mlarson at verisign.com>
> > The new KSK will not be published in an authenticated manner outside
> > DNS (e.g., on an SSL-protected web page). Rather, the intended
> > mechanism for trusting the new KSK is via the signed root zone: DS
> > records corresponding to the new KSK are already present in the root
> > zone.
> That sounds like a policy decision... and I'm not sure I think it sounds
> like a *good* policy decision, but since no reasons were provided, it's
> difficult to tell.
> Why was that decision taken, Matt?
Having a zone's KSK statically configured on validators as a trust
anchor can lead to a world of hurt: when rolling the KSK, the zone
owner has to get everyone to update their trust anchor configuration.
In theory, the protocol described in RFC 5011 allows an operator to
signal a roll and validators will do the right thing. In practice, in
these early days, you can't count on much 5011 deployment because
implementations haven't been available for that long.
This situation puts the operator of a popular signed zone, such as a
TLD, in a difficult position and makes KSK rolls difficult--but only
if the KSK is statically configured. Meanwhile, we now have a
perfectly good signed root zone that can vouch for any TLD's KSK. As
a result, as the impending registry operator for .gov, VeriSign
doesn't want to encourage static configuration of the .gov KSK as a
trust anchor. Such static configuration would be made easier and
implicitly condoned if the .gov KSK were published and authenticatable
outside of DNS.
Note that the situation is the same today with the signed .net zone
(and will be the same for the .com zone when it is signed in Q1 of
2011): the .net KSK is intentionally not published outside DNS. The
path to trusting that key is via the signed DS record corresponding to
it in the root zone.
More information about the NANOG