.gov DNSSEC operational message

Doug Barton dougb at dougbarton.us
Tue Dec 28 13:41:18 CST 2010

Hash: SHA256

On 12/26/2010 09:07, Matt Larson wrote:
| On Thu, 23 Dec 2010, Jay Ashworth wrote:
|>> From: "Matt Larson"<mlarson at verisign.com>
|>> The new KSK will not be published in an authenticated manner outside
|>> DNS (e.g., on an SSL-protected web page). Rather, the intended
|>> mechanism for trusting the new KSK is via the signed root zone: DS
|>> records corresponding to the new KSK are already present in the root
|>> zone.
|> That sounds like a policy decision... and I'm not sure I think it sounds
|> like a *good* policy decision, but since no reasons were provided, it's
|> difficult to tell.

Actually I thought Matt went to great lengths in his original post to
explain both the current landscape and the reasons why you'd want to
make a change.

|> Why was that decision taken, Matt?
| Having a zone's KSK statically configured on validators as a trust
| anchor can lead to a world of hurt: when rolling the KSK, the zone
| owner has to get everyone to update their trust anchor configuration.
| In theory, the protocol described in RFC 5011 allows an operator to
| signal a roll and validators will do the right thing.  In practice, in
| these early days, you can't count on much 5011 deployment because
| implementations haven't been available for that long.
| This situation puts the operator of a popular signed zone, such as a
| TLD, in a difficult position and makes KSK rolls difficult--but only
| if the KSK is statically configured.  Meanwhile, we now have a
| perfectly good signed root zone that can vouch for any TLD's KSK.  As
| a result, as the impending registry operator for .gov, VeriSign
| doesn't want to encourage static configuration of the .gov KSK as a
| trust anchor.  Such static configuration would be made easier and
| implicitly condoned if the .gov KSK were published and authenticatable
| outside of DNS.

To the extent my opinion counts for anything, this all sounds perfectly
reasonable to me.

Now OTOH if someone wants to demonstrate the value in having a
publication channel for TLD DNSKEYs outside of the root zone, I'm
certainly willing to listen. Just be forewarned that you will have an
uphill battle in trying to prove your case. :)


- -- 

	Nothin' ever doesn't change, but nothin' changes much.
			-- OK Go

	Breadth of IT experience, and depth of knowledge in the DNS.
	Yours for the right price.  :)  http://SupersetSolutions.com/

Version: GnuPG v2.0.16 (FreeBSD)


More information about the NANOG mailing list