[dns-operations] .Org DNSSEC key management policy feedback

Roy Arends roy at dnss.ec
Tue Jun 23 00:41:29 UTC 2009 

On Jun 23, 2009, at 9:39 AM, Mark Andrews wrote:

>
> In message <1D337EA2-A581-47CE-98AA-E95754465293 at dnss.ec>, Roy  
> Arends writes:
>> On Jun 23, 2009, at 3:11 AM, Andrew Sullivan wrote:
>>
>>> On Sun, Jun 21, 2009 at 03:24:20PM +0000, bmanning at vacation.karoshi.com
>>> wrote:
>>>> On Sun, Jun 21, 2009 at 07:50:47AM -0700, David Conrad wrote:
>>>
>>>>> Yes, but until the root is signed, people will still need to  
>>>>> update
>>>>> their trust anchors to reflect all the islands of trust, including
>>>>> the
>>>>> TLDs, they want to validated.
>>>
>>>> 	even then, they might want to keep the .ORG key
>>>
>>> I'm rather hoping not.  Given the way BIND prefers the "closest"
>>> configured trust anchor, I think it will make things less reliable.
>>> Suppose people decide to keep their existing .org key, and then the
>>> root is signed, and the key-keepers think, "Good," and stop checking
>>> for updates.  On the next .org key-roll, all of .org instantly goes
>>> dark for those people with the stale key.
>>
>> That still hasn't been fixed?  It seems wrong and very annoying. In  
>> my
>> end user experience, it violates the principle of least astonishment.
>
> 	Actually it doesn't.  If you configure a trust-anchor for
> 	your own company you don't want anything overriding it.
> 	Having that overridden would be POLA violation.
>
> 	Having things break because you stopped managing/tracking
> 	them is not a POLA violation.

That is a niche kind of market. It would be nice if this behavior  
would be configurable, but should not be the default. You seem to be  
under the impression that this behavior is standardized in some  
protocol specification, and thus should be the default.


>
>> I remember the main counter argument was that folks might want to
>> configure the .ORG key for everything in and under .ORG, and not  
>> trust
>> the root key for .ORG, but do trust the root key for everything else.
>> Doesn't fly. There might be simple dependencies from domains under  
>> ORG
>> on something not ORG. See for instance http://www.links.org/?p=635 on
>> "who pwns the internet".
>
> 	For . and ORG I agree.  For ORG and ISC.ORG I disagree.
> 	For wattle.id.au (when it is signed) and andrews.wattlet.id.au
> 	I disagree.  There are couple of hundred zones where your
> 	policy makes sense.  There are millions where named's default
> 	policy will make sense.

Imagine I have configured a key for au and for net.au. The latter key  
is not updated. Whoops, there goes id.au.

> 	Your policy model make sense if you *start* doing DNSSEC
> 	during the bottom up development phase.

That is, imho, the phase we're getting into.

>  If you start in
> 	the top down phase it doesn't and top down is the long term
> 	status.

By that time, this policy should be configurable, and eventually, the  
default can be changed on behalf on market demand.

Kind regards,

Roy

More information about the dns-operations mailing list