[dns-operations] Online DNSSEC debugging tool now availalbe

Olafur Gudmundsson ogud at ogud.com
Mon Jul 19 20:09:28 UTC 2010


On 19/07/2010 2:44 PM, bmanning at vacation.karoshi.com wrote:
> On Mon, Jul 19, 2010 at 01:40:25PM -0400, Andrew Sullivan wrote:
>> On Mon, Jul 19, 2010 at 05:35:36PM +0000, bmanning at vacation.karoshi.com wrote:
>>>> Because .org rolled their key, changed the DS in ., and didn't publish
>>>> a new TA?
>>>
>>>
>>> 	sounds irresponsible to me.
>>
>> Thanks.  You have now illustrated the argument about why it was not
>> obvious whether to put the DS into the root for .org, given that .org
>> made their plans about signing&c. long before it was clear that the
>> root would be signed.
>
> 	if an entity changes its crypto keys and only tells -some- of the
> 	parties who use it, that seems irresponsible to me.  the specifics
> 	of .org are outside my current understanding.
>

Bill,
If you publish a TA for any of your domains, how will you know if
I or anyone else has put this TA in our configuration file?

Furthermore how can you be sure everyone that has your TA configured,
reads your notice that TA is going away?

If a webpage/blog contains a link to a current set
of TA's including yours, so someone will blindly copy this
into his/her name server configuration and never rechecks.

How did you behave irresponsibly?

Of course if everyone uses RFC5011 compliant software to monitor TA's,
the Revoke bit can be used to clear the trust anchor from the 
configurations or having the parent advertise the same TA as for at 
least 6 months.

	Olafur



More information about the dns-operations mailing list