[dns-operations] .Org DNSSEC key management policy feedback

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Tue Jun 23 23:27:22 UTC 2009


> > or last quarter's losses.  
> > 
> > This sort of scenario, repeated at various places on the network,
> > would be an extremely bad blow for DNSSEC deployment.  Given the way
> > things are currently arranged, I fully expect it to happen at least a
> > few times in some places, and the only questions are how often it will
> > happen and how unrealistic the DNS community will look for having
> > designed something so brittle.
> > 
> > A
> > 
> > -- 
> > Andrew Sullivan
> > ajs at shinkuro.com
> > Shinkuro, Inc.
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> 
> 	Nobody is doubting that it can happen and undoubtedly will
> 	happen if you turn on dnssec and don't have management
> 	proceedures for those trust anchors.
> 
> 	Worse yet however is management saying you MUST use these
> 	trust anchors and the validator skipping over them.  It's
> 	like adding a modem to your desktop box inside the firewall
> 	and "sharing the network" through it.
> 
> 	In the end no one will have trust anchors for ORG or any
> 	TLD unless they are grafting on namespace and then it is
> 	pointless to skip over the trust anchor at the graft point.
> 	They will have trust anchors for the root and for their own
> 	company and that is about all.  And the trust anchors for
> 	the root still have to be managed along with those you learn
> 	from your employer.
> 
> 	Mark
> -- 

	i;m going to have my school keys, my employer keys,  the keys for my wifes 
	consulting business, my childrens schools keys, the keys for my bank,
	grocers and other sales outlets... and the keys for my state and federal
	taxing authorities... i'm sure there are others.  I may not ever use
	the root key.  i live in a web of trust, its not a strict hierarchy of
	the root and one key ofr my employer.

	perhaps I am unique in the world.


--bill



More information about the dns-operations mailing list