[dns-operations] .Org DNSSEC key management policy feedback
Mark Andrews
marka at isc.org
Wed Jun 24 06:19:12 UTC 2009
In message <73F9EFB8-E651-4283-A706-42C81FC14D45 at virtualized.org>, David Conrad
writes:
> Mark,
>
> On Jun 23, 2009, at 6:34 PM, Mark Andrews wrote:
> >> Who do you think is going to be managing trust anchors?
> > Everyone validating needs to manage trust-anchors.
>
> Then, depending on your definition of "manage", I suspect DNSSEC is
> doomed and we should probably just give up and go home now. If your
> model of operation is one in which people are constantly fiddling with
> the validating server configuration and tolerating booboos that cause
> validation to fail for arcane reasons, then you are assuming an
> operational world that I am unfamiliar with.
>
> The vast, vast majority of folks neither want nor should need to
> manage their trust anchors. The best we can probably hope for is for
> the vast, vast majority of folks to blindly accept what Microsoft,
> Apple, Linux distribution packagers, Belkin, Cisco, et al., provide
> via their standard OS update mechanisms.
Which will work for the root, maybe with very long overlap
periods for KSKs. For the rest nameserver operators will
need to take responsability.
Mark
> An infinitesimal set of more
> advanced folks and those who have corporate IT policies that disallow
> them from trusting vendor updates might automate fetching the root
> trust anchor themselves, but they're going to be really rare.
>
> > RFC 5011 doesn't magically start.
>
> 5011 is almost certainly a red herring.
>
> Regards,
> -drc
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list