[dns-operations] .Org DNSSEC key management policy feedback

Mark Andrews marka at isc.org
Wed Jun 24 06:19:12 UTC 2009

In message <73F9EFB8-E651-4283-A706-42C81FC14D45 at virtualized.org>, David Conrad
> Mark,
> On Jun 23, 2009, at 6:34 PM, Mark Andrews wrote:
> >> Who do you think is going to be managing trust anchors?
> > 	Everyone validating needs to manage trust-anchors.
> Then, depending on your definition of "manage", I suspect DNSSEC is  
> doomed and we should probably just give up and go home now. If your  
> model of operation is one in which people are constantly fiddling with  
> the validating server configuration and tolerating booboos that cause  
> validation to fail for arcane reasons, then you are assuming an  
> operational world that I am unfamiliar with.
> The vast, vast majority of folks neither want nor should need to  
> manage their trust anchors.  The best we can probably hope for is for  
> the vast, vast majority of folks to blindly accept what Microsoft,  
> Apple, Linux distribution packagers, Belkin, Cisco, et al., provide  
> via their standard OS update mechanisms.

	Which will work for the root, maybe with very long overlap
	periods for KSKs.  For the rest nameserver operators will
	need to take responsability.


> An infinitesimal set of more  
> advanced folks and those who have corporate IT policies that disallow  
> them from trusting vendor updates might automate fetching the root  
> trust anchor themselves, but they're going to be really rare.
> > 	RFC 5011 doesn't magically start.
> 5011 is almost certainly a red herring.
> Regards,
> -drc
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list