[dns-operations] .Org DNSSEC key management policy feedback

Mark Andrews marka at isc.org
Wed Jun 24 03:38:50 UTC 2009

In message <20090624024109.GA2665 at shinkuro.com>, Andrew Sullivan writes:
> Or else no-one will have any trust anchor at all, because everyone is
> afraid to turn on DNSSEC since it magically breaks the Internet from
> time to time and you have to be one of the 20 people in the world who
> follow the details of DNS protocols to understand why.  It's this
> initial hurdle I'm focussed on clearing out of the way.  Since there
> is a possible path to your long term goal that does not cause the
> hurdle to exist, why not take that one?

	If you turn on DNSSEC it will be brittle if you don't manage
	your trust anchors even when it is only the root's trust
	anchor you have installed.  You cannot avoid managing
	trust-anchors.  You can automate it to some degree with RFC
	5011 but you cannot avoid it.

	Saying you can avoid managing trust-anchors for ORG because
	you have trust-anchors for the root is sending the wrong
	message.  You manage all trust anchors.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list