[dns-operations] .Org DNSSEC key management policy feedback
Roy Arends
roy at dnss.ec
Mon Jun 22 17:30:02 UTC 2009
On Jun 23, 2009, at 3:11 AM, Andrew Sullivan wrote:
> On Sun, Jun 21, 2009 at 03:24:20PM +0000, bmanning at vacation.karoshi.com
> wrote:
>> On Sun, Jun 21, 2009 at 07:50:47AM -0700, David Conrad wrote:
>
>>> Yes, but until the root is signed, people will still need to update
>>> their trust anchors to reflect all the islands of trust, including
>>> the
>>> TLDs, they want to validated.
>
>> even then, they might want to keep the .ORG key
>
> I'm rather hoping not. Given the way BIND prefers the "closest"
> configured trust anchor, I think it will make things less reliable.
> Suppose people decide to keep their existing .org key, and then the
> root is signed, and the key-keepers think, "Good," and stop checking
> for updates. On the next .org key-roll, all of .org instantly goes
> dark for those people with the stale key.
That still hasn't been fixed? It seems wrong and very annoying. In my
end user experience, it violates the principle of least astonishment.
I remember the main counter argument was that folks might want to
configure the .ORG key for everything in and under .ORG, and not trust
the root key for .ORG, but do trust the root key for everything else.
Doesn't fly. There might be simple dependencies from domains under ORG
on something not ORG. See for instance http://www.links.org/?p=635 on
"who pwns the internet".
kind regards,
Roy
More information about the dns-operations
mailing list