.gov DNSSEC operational message

• Previous message (by thread): .gov DNSSEC operational message
• Next message (by thread): inquiry on using POS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Dec 28, 2010 at 08:07:22PM -0800, Kevin Oberman wrote:
> 
> Yes, having a verifiable source of keys OOB might have a small bit of
> value, but, assuming we get general adoption of RFC 5011, I think it's
> pretty limited value. Of course, this begs the question, how do we do a
> better job of verifying the keys received out of band than the root zone
> does of verifying the keys? Sort of a chicken and egg problem.
> -- 
> R. Kevin Oberman, Network Engineer

	presumes RFC 5011 is viable.  fall outside the 30day window and
	your screwed. :)  that said,  what folks came up w/ for the root
	key roll might be a useful template, e.g. the use of TCR's and
	use an M/N assurance check - in those rare cases where your just
	foobarr'ed and you can't take your servers into the SCIF to rekey.

	and/or an alternative to the strict timing constraints in RFC 5011
	with a protocol that gives more leyway for a node being offline
	over a keyroll interval.

	There -should- be a functional equivalent of OTAR for DNSSEC keys
	that is not constrained to a tight window... IMHO of course.


--bill

• Previous message (by thread): .gov DNSSEC operational message
• Next message (by thread): inquiry on using POS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]