[dns-operations] .Org DNSSEC key management policy feedback
drc at virtualized.org
Wed Jun 24 04:17:36 UTC 2009
Who do you think is going to be managing trust anchors?
On Jun 23, 2009, at 5:38 PM, Mark Andrews wrote:
> In message <20090624024109.GA2665 at shinkuro.com>, Andrew Sullivan
>> Or else no-one will have any trust anchor at all, because everyone is
>> afraid to turn on DNSSEC since it magically breaks the Internet from
>> time to time and you have to be one of the 20 people in the world who
>> follow the details of DNS protocols to understand why. It's this
>> initial hurdle I'm focussed on clearing out of the way. Since there
>> is a possible path to your long term goal that does not cause the
>> hurdle to exist, why not take that one?
> If you turn on DNSSEC it will be brittle if you don't manage
> your trust anchors even when it is only the root's trust
> anchor you have installed. You cannot avoid managing
> trust-anchors. You can automate it to some degree with RFC
> 5011 but you cannot avoid it.
> Saying you can avoid managing trust-anchors for ORG because
> you have trust-anchors for the root is sending the wrong
> message. You manage all trust anchors.
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
More information about the dns-operations