[dns-operations] .Org DNSSEC key management policy feedback
Mark Andrews
marka at isc.org
Wed Jun 24 03:38:50 UTC 2009
In message <20090624024109.GA2665 at shinkuro.com>, Andrew Sullivan writes:
> Or else no-one will have any trust anchor at all, because everyone is
> afraid to turn on DNSSEC since it magically breaks the Internet from
> time to time and you have to be one of the 20 people in the world who
> follow the details of DNS protocols to understand why. It's this
> initial hurdle I'm focussed on clearing out of the way. Since there
> is a possible path to your long term goal that does not cause the
> hurdle to exist, why not take that one?
If you turn on DNSSEC it will be brittle if you don't manage
your trust anchors even when it is only the root's trust
anchor you have installed. You cannot avoid managing
trust-anchors. You can automate it to some degree with RFC
5011 but you cannot avoid it.
Saying you can avoid managing trust-anchors for ORG because
you have trust-anchors for the root is sending the wrong
message. You manage all trust anchors.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list