[dns-operations] .Org DNSSEC key management policy feedback
Andrew Sullivan
ajs at shinkuro.com
Mon Jun 22 17:11:25 UTC 2009
On Sun, Jun 21, 2009 at 03:24:20PM +0000, bmanning at vacation.karoshi.com wrote:
> On Sun, Jun 21, 2009 at 07:50:47AM -0700, David Conrad wrote:
> > Yes, but until the root is signed, people will still need to update
> > their trust anchors to reflect all the islands of trust, including the
> > TLDs, they want to validated.
> even then, they might want to keep the .ORG key
I'm rather hoping not. Given the way BIND prefers the "closest"
configured trust anchor, I think it will make things less reliable.
Suppose people decide to keep their existing .org key, and then the
root is signed, and the key-keepers think, "Good," and stop checking
for updates. On the next .org key-roll, all of .org instantly goes
dark for those people with the stale key.
A
--
Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.
More information about the dns-operations
mailing list