[dns-operations] .Org DNSSEC key management policy feedback

Roy Arends roy at dnss.ec
Mon Jun 22 17:30:02 UTC 2009

On Jun 23, 2009, at 3:11 AM, Andrew Sullivan wrote:

> On Sun, Jun 21, 2009 at 03:24:20PM +0000, bmanning at vacation.karoshi.com 
>  wrote:
>> On Sun, Jun 21, 2009 at 07:50:47AM -0700, David Conrad wrote:
>>> Yes, but until the root is signed, people will still need to update
>>> their trust anchors to reflect all the islands of trust, including  
>>> the
>>> TLDs, they want to validated.
>> 	even then, they might want to keep the .ORG key
> I'm rather hoping not.  Given the way BIND prefers the "closest"
> configured trust anchor, I think it will make things less reliable.
> Suppose people decide to keep their existing .org key, and then the
> root is signed, and the key-keepers think, "Good," and stop checking
> for updates.  On the next .org key-roll, all of .org instantly goes
> dark for those people with the stale key.

That still hasn't been fixed? It seems wrong and very annoying. In my  
end user experience, it violates the principle of least astonishment.

I remember the main counter argument was that folks might want to  
configure the .ORG key for everything in and under .ORG, and not trust  
the root key for .ORG, but do trust the root key for everything else.  
Doesn't fly. There might be simple dependencies from domains under ORG  
on something not ORG. See for instance http://www.links.org/?p=635 on  
"who pwns the internet".

kind regards,


More information about the dns-operations mailing list