[dns-operations] .Org DNSSEC key management policy feedback
marka at isc.org
Wed Jun 24 04:34:16 UTC 2009
In message <F4E3109D-E823-49D0-B8F0-019ABC204D65 at virtualized.org>, David Conrad
> Who do you think is going to be managing trust anchors?
Everyone validating needs to manage trust-anchors. DNSSEC
won't work if you don't manage trust-anchors. They are not
set and forget.
RFC 5011 doesn't magically start. It requires a concious
decision to do it and the zone's keys need to be managed
by the zone operator with RFC 5011 in mind.
RFC 5011 doesn't work if the validator is turned off for
I'm sure there will be SNAFU's made by zone operators in
their RFC 5011 management.
Trying to track a zone's keys using RFC 5011 to a zone that
is pre-publishing DS records just won't work.
> On Jun 23, 2009, at 5:38 PM, Mark Andrews wrote:
> > In message <20090624024109.GA2665 at shinkuro.com>, Andrew Sullivan
> > writes:
> >> Or else no-one will have any trust anchor at all, because everyone is
> >> afraid to turn on DNSSEC since it magically breaks the Internet from
> >> time to time and you have to be one of the 20 people in the world who
> >> follow the details of DNS protocols to understand why. It's this
> >> initial hurdle I'm focussed on clearing out of the way. Since there
> >> is a possible path to your long term goal that does not cause the
> >> hurdle to exist, why not take that one?
> > If you turn on DNSSEC it will be brittle if you don't manage
> > your trust anchors even when it is only the root's trust
> > anchor you have installed. You cannot avoid managing
> > trust-anchors. You can automate it to some degree with RFC
> > 5011 but you cannot avoid it.
> > Saying you can avoid managing trust-anchors for ORG because
> > you have trust-anchors for the root is sending the wrong
> > message. You manage all trust anchors.
> > Mark
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations