.gov DNSSEC operational message

Florian Weimer fw at deneb.enyo.de
Sun Dec 26 17:23:01 UTC 2010


* Jay Ashworth:

> ----- Original Message -----
>> From: "Matt Larson" <mlarson at verisign.com>
>
>> The new KSK will not be published in an authenticated manner outside
>> DNS (e.g., on an SSL-protected web page). Rather, the intended
>> mechanism for trusting the new KSK is via the signed root zone: DS
>> records corresponding to the new KSK are already present in the root
>> zone.
>
> That sounds like a policy decision... and I'm not sure I think it sounds
> like a *good* policy decision, but since no reasons were provided, it's 
> difficult to tell.

I don't know if it influenced the policy decision, but as it is
currently specified, the protocol ensures that configuring an
additional trust anchor never decreases availability when you've also
got the root trust anchor configured, it can only increase it.  This
means that there is little reason to configure such a trust anchor,
especially in the present scenario.




More information about the NANOG mailing list