[dns-operations] .Org DNSSEC key management policy feedback

Mark Andrews marka at isc.org
Wed Jun 24 04:34:16 UTC 2009 

In message <F4E3109D-E823-49D0-B8F0-019ABC204D65 at virtualized.org>, David Conrad
 writes:
> Mark,
> 
> Who do you think is going to be managing trust anchors?
> 
> Thanks,
> -drc

	Everyone validating needs to manage trust-anchors.  DNSSEC
	won't work if you don't manage trust-anchors.  They are not
	set and forget.

	RFC 5011 doesn't magically start. It requires a concious
	decision to do it and the zone's keys need to be managed
	by the zone operator with RFC 5011 in mind.

	RFC 5011 doesn't work if the validator is turned off for
	too long.

	I'm sure there will be SNAFU's made by zone operators in
	their RFC 5011 management.

	Trying to track a zone's keys using RFC 5011 to a zone that
	is pre-publishing DS records just won't work.

	Mark

> On Jun 23, 2009, at 5:38 PM, Mark Andrews wrote:
> 
> >
> > In message <20090624024109.GA2665 at shinkuro.com>, Andrew Sullivan  
> > writes:
> >> Or else no-one will have any trust anchor at all, because everyone is
> >> afraid to turn on DNSSEC since it magically breaks the Internet from
> >> time to time and you have to be one of the 20 people in the world who
> >> follow the details of DNS protocols to understand why.  It's this
> >> initial hurdle I'm focussed on clearing out of the way.  Since there
> >> is a possible path to your long term goal that does not cause the
> >> hurdle to exist, why not take that one?
> >
> > 	If you turn on DNSSEC it will be brittle if you don't manage
> > 	your trust anchors even when it is only the root's trust
> > 	anchor you have installed.  You cannot avoid managing
> > 	trust-anchors.  You can automate it to some degree with RFC
> > 	5011 but you cannot avoid it.
> >
> > 	Saying you can avoid managing trust-anchors for ORG because
> > 	you have trust-anchors for the root is sending the wrong
> > 	message.  You manage all trust anchors.
> >
> > 	Mark
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> >
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list