[dns-operations] A request for "data"

Warren Kumari warren at kumari.net
Sat Apr 27 00:58:35 UTC 2024 

On Thu, Apr 25 2024 at 12:15 PM, Tim Wicinski <tjw.ietf at gmail.com> wrote:

I know in our fancy pants nominum s/w we run at cox I add the
> line "managed-keys" and like magic we're pulling 5011 automagic maintained.
>
> got time later today? I am open
>
> On Thu, Apr 25, 2024 at 11:58 AM Edward Lewis <edward.lewis at icann.org>
> wrote:
>
>> An open question...
>>
>> Is anyone aware of any use of Automated Updates of DNS Trust Anchors,
>> documented in RFC 5011, in the last 5 years or so?  Does anyone know of a
>> zone (other than the root) that documents or publicizes a reliance on
>> Automated Updates?
>>
>
Probably not, because there are really any (public) trust anchors other
than the root.


>> For the record, the last time a ccTLD published a revoked SEP key was April
>> 9, 2019 (this was not the revocation of the root zone KSK but a TLD's
>> KSK), so I know that none of the TLDs have completed an Automated Updates
>> roll since then.
>>
>
I don't really understand under what conditions I'd want to have a
trust-anchor for any (public) zone. The root is signed, the TLDs publish
their DS in the root, 2nd levels publish in the TLD, etc. Having a trust
anchor for anything under the root seems to just be asking for trouble — if
a TLD needed to roll their keys (because of compromise or just on schedule)
they can easily and quickly do so under the current paradigm. If I've also
installed their key as a separate TA they have a whole long and involved
process to go through. The only time that I could see this being "useful"
would be if I were in a country that wanted to be able to disconnect itself
from the public Internet for an extended period of time…


>> I have no historical data below the TLD level, so I'm seeking anecdotal
>> evidence of reliance on Automated Updates anywhere (else) in the global
>> public Internet.  I doubt there is any, but that is based on absolutely no
>> data and personal assumptions.
>>
>>
Yeah, I think that we have both been saying "public" throughout this thread
because there may well be uses of this for private, non-Internet connected
zones, which we will not really be able to see…

W


Private replies are fine...I'm not trying to name operators, just evaluate
>> the mechanism's adoption.
>>
>> Ed Lewis
>>
>>
>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240426/ba1fc085/attachment.html>

More information about the dns-operations mailing list