[dns-operations] .Org DNSSEC key management policy feedback

Andrew Sullivan ajs at shinkuro.com
Mon Jun 22 17:11:25 UTC 2009

On Sun, Jun 21, 2009 at 03:24:20PM +0000, bmanning at vacation.karoshi.com wrote:
> On Sun, Jun 21, 2009 at 07:50:47AM -0700, David Conrad wrote:

> > Yes, but until the root is signed, people will still need to update  
> > their trust anchors to reflect all the islands of trust, including the  
> > TLDs, they want to validated.
> 	even then, they might want to keep the .ORG key

I'm rather hoping not.  Given the way BIND prefers the "closest"
configured trust anchor, I think it will make things less reliable.
Suppose people decide to keep their existing .org key, and then the
root is signed, and the key-keepers think, "Good," and stop checking
for updates.  On the next .org key-roll, all of .org instantly goes
dark for those people with the stale key.


Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the dns-operations mailing list