[dns-operations] .Org DNSSEC key management policy feedback

David Conrad drc at virtualized.org
Wed Jun 24 05:38:21 UTC 2009


On Jun 23, 2009, at 6:34 PM, Mark Andrews wrote:
>> Who do you think is going to be managing trust anchors?
> 	Everyone validating needs to manage trust-anchors.

Then, depending on your definition of "manage", I suspect DNSSEC is  
doomed and we should probably just give up and go home now. If your  
model of operation is one in which people are constantly fiddling with  
the validating server configuration and tolerating booboos that cause  
validation to fail for arcane reasons, then you are assuming an  
operational world that I am unfamiliar with.

The vast, vast majority of folks neither want nor should need to  
manage their trust anchors.  The best we can probably hope for is for  
the vast, vast majority of folks to blindly accept what Microsoft,  
Apple, Linux distribution packagers, Belkin, Cisco, et al., provide  
via their standard OS update mechanisms.  An infinitesimal set of more  
advanced folks and those who have corporate IT policies that disallow  
them from trusting vendor updates might automate fetching the root  
trust anchor themselves, but they're going to be really rare.

> 	RFC 5011 doesn't magically start.

5011 is almost certainly a red herring.


More information about the dns-operations mailing list