.gov DNSSEC operational message
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Wed Dec 29 04:25:27 UTC 2010
On Tue, Dec 28, 2010 at 08:07:22PM -0800, Kevin Oberman wrote:
>
> Yes, having a verifiable source of keys OOB might have a small bit of
> value, but, assuming we get general adoption of RFC 5011, I think it's
> pretty limited value. Of course, this begs the question, how do we do a
> better job of verifying the keys received out of band than the root zone
> does of verifying the keys? Sort of a chicken and egg problem.
> --
> R. Kevin Oberman, Network Engineer
presumes RFC 5011 is viable. fall outside the 30day window and
your screwed. :) that said, what folks came up w/ for the root
key roll might be a useful template, e.g. the use of TCR's and
use an M/N assurance check - in those rare cases where your just
foobarr'ed and you can't take your servers into the SCIF to rekey.
and/or an alternative to the strict timing constraints in RFC 5011
with a protocol that gives more leyway for a node being offline
over a keyroll interval.
There -should- be a functional equivalent of OTAR for DNSSEC keys
that is not constrained to a tight window... IMHO of course.
--bill
More information about the NANOG
mailing list