[dns-operations] .Org DNSSEC key management policy feedback
drc at virtualized.org
Wed Jun 24 05:38:21 UTC 2009
On Jun 23, 2009, at 6:34 PM, Mark Andrews wrote:
>> Who do you think is going to be managing trust anchors?
> Everyone validating needs to manage trust-anchors.
Then, depending on your definition of "manage", I suspect DNSSEC is
doomed and we should probably just give up and go home now. If your
model of operation is one in which people are constantly fiddling with
the validating server configuration and tolerating booboos that cause
validation to fail for arcane reasons, then you are assuming an
operational world that I am unfamiliar with.
The vast, vast majority of folks neither want nor should need to
manage their trust anchors. The best we can probably hope for is for
the vast, vast majority of folks to blindly accept what Microsoft,
Apple, Linux distribution packagers, Belkin, Cisco, et al., provide
via their standard OS update mechanisms. An infinitesimal set of more
advanced folks and those who have corporate IT policies that disallow
them from trusting vendor updates might automate fetching the root
trust anchor themselves, but they're going to be really rare.
> RFC 5011 doesn't magically start.
5011 is almost certainly a red herring.
More information about the dns-operations