[dns-operations] .Org DNSSEC key management policy feedback

David Conrad drc at virtualized.org
Wed Jun 24 04:17:36 UTC 2009


Who do you think is going to be managing trust anchors?


On Jun 23, 2009, at 5:38 PM, Mark Andrews wrote:

> In message <20090624024109.GA2665 at shinkuro.com>, Andrew Sullivan  
> writes:
>> Or else no-one will have any trust anchor at all, because everyone is
>> afraid to turn on DNSSEC since it magically breaks the Internet from
>> time to time and you have to be one of the 20 people in the world who
>> follow the details of DNS protocols to understand why.  It's this
>> initial hurdle I'm focussed on clearing out of the way.  Since there
>> is a possible path to your long term goal that does not cause the
>> hurdle to exist, why not take that one?
> 	If you turn on DNSSEC it will be brittle if you don't manage
> 	your trust anchors even when it is only the root's trust
> 	anchor you have installed.  You cannot avoid managing
> 	trust-anchors.  You can automate it to some degree with RFC
> 	5011 but you cannot avoid it.
> 	Saying you can avoid managing trust-anchors for ORG because
> 	you have trust-anchors for the root is sending the wrong
> 	message.  You manage all trust anchors.
> 	Mark
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list