[dns-operations] Root KSK rollover and trust anchors (was Re: .Org DNSSEC key management policy feedback)

Joe Abley jabley at hopcount.ca
Thu Jun 25 23:52:17 UTC 2009

On 26-Jun-2009, at 03:37, Andrew Sullivan wrote:

> On Thu, Jun 25, 2009 at 11:33:50AM +1200, Joe Abley wrote:
>> vendor-specific update channels ("Windows Update" and friends). There
>> has been talk of 5011, but concern over how a device which  
>> disconnects
>> over the rollover window might recover when it wakes up.
> What about
> http://tools.ietf.org/html/draft-wijngaards-dnsext-trust-history-02 to
> deal with that?

I have not yet found the time to ponder on that in any detail, but it  
looks like a good thing.

In general, though, my assumption is that there will be multiple  
overlapping solutions to the general problem space. I don't think we  
need to worry about choosing just one, in either the short or long term.

In particular, using multiple mechanisms to gain trust in a trust  
anchor helps defend against the possibility that a key compromise led  
to any single publication mechanism distributing harmful data, masking  
the intent of the real key holder to effect an emergency roll.


More information about the dns-operations mailing list