.gov DNSSEC operational message

Jay Ashworth jra at baylink.com
Tue Dec 28 20:07:47 CST 2010

----- Original Message -----
> From: "Matt Larson" <mlarson at verisign.com>

> On Thu, 23 Dec 2010, Jay Ashworth wrote:
> > > From: "Matt Larson" <mlarson at verisign.com>
> >
> > > The new KSK will not be published in an authenticated manner
> > > outside DNS (e.g., on an SSL-protected web page). Rather, the intended
> > > mechanism for trusting the new KSK is via the signed root zone: DS
> > > records corresponding to the new KSK are already present in the
> > > root zone.
> >
> > That sounds like a policy decision... and I'm not sure I think it
> > sounds like a *good* policy decision, but since no reasons were provided,
> > it's difficult to tell.
> >
> > Why was that decision taken, Matt?
> Having a zone's KSK statically configured on validators as a trust
> anchor can lead to a world of hurt: when rolling the KSK, the zone
> owner has to get everyone to update their trust anchor configuration.
> In theory, the protocol described in RFC 5011 allows an operator to
> signal a roll and validators will do the right thing. In practice, in
> these early days, you can't count on much 5011 deployment because
> implementations haven't been available for that long.

Yes, I'd gathered that.

> This situation puts the operator of a popular signed zone, such as a
> TLD, in a difficult position and makes KSK rolls difficult--but only
> if the KSK is statically configured. Meanwhile, we now have a
> perfectly good signed root zone that can vouch for any TLD's KSK. As
> a result, as the impending registry operator for .gov, VeriSign
> doesn't want to encourage static configuration of the .gov KSK as a
> trust anchor. Such static configuration would be made easier and
> implicitly condoned if the .gov KSK were published and authenticatable
> outside of DNS.

Ok, having re-read this a third time, now on a full sized screen, I guess
I see what you're driving at: you don't *want* an out-of-band auth channel,
*because people will use it*.

> Note that the situation is the same today with the signed .net zone
> (and will be the same for the .com zone when it is signed in Q1 of
> 2011): the .net KSK is intentionally not published outside DNS. The
> path to trusting that key is via the signed DS record corresponding to
> it in the root zone.

Just remember what Lazarus Long said: "put all your eggs in one basket,
certainly.  But make sure it's a *very good*  basket."

-- jr 'where am I going?  And why am I in this handbasket?' a

More information about the NANOG mailing list