[dns-operations] .Org DNSSEC key management policy feedback
marka at isc.org
Wed Jun 24 06:19:12 UTC 2009
In message <73F9EFB8-E651-4283-A706-42C81FC14D45 at virtualized.org>, David Conrad
> On Jun 23, 2009, at 6:34 PM, Mark Andrews wrote:
> >> Who do you think is going to be managing trust anchors?
> > Everyone validating needs to manage trust-anchors.
> Then, depending on your definition of "manage", I suspect DNSSEC is
> doomed and we should probably just give up and go home now. If your
> model of operation is one in which people are constantly fiddling with
> the validating server configuration and tolerating booboos that cause
> validation to fail for arcane reasons, then you are assuming an
> operational world that I am unfamiliar with.
> The vast, vast majority of folks neither want nor should need to
> manage their trust anchors. The best we can probably hope for is for
> the vast, vast majority of folks to blindly accept what Microsoft,
> Apple, Linux distribution packagers, Belkin, Cisco, et al., provide
> via their standard OS update mechanisms.
Which will work for the root, maybe with very long overlap
periods for KSKs. For the rest nameserver operators will
need to take responsability.
> An infinitesimal set of more
> advanced folks and those who have corporate IT policies that disallow
> them from trusting vendor updates might automate fetching the root
> trust anchor themselves, but they're going to be really rare.
> > RFC 5011 doesn't magically start.
> 5011 is almost certainly a red herring.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations