[dns-operations] Online DNSSEC debugging tool now availalbe

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Jul 19 21:01:14 UTC 2010 

On Mon, Jul 19, 2010 at 04:09:28PM -0400, Olafur Gudmundsson wrote:
> On 19/07/2010 2:44 PM, bmanning at vacation.karoshi.com wrote:
> >On Mon, Jul 19, 2010 at 01:40:25PM -0400, Andrew Sullivan wrote:
> >>On Mon, Jul 19, 2010 at 05:35:36PM +0000, bmanning at vacation.karoshi.com 
> >>wrote:
> >>>>Because .org rolled their key, changed the DS in ., and didn't publish
> >>>>a new TA?
> >>>
> >>>
> >>>	sounds irresponsible to me.
> >>
> >>Thanks.  You have now illustrated the argument about why it was not
> >>obvious whether to put the DS into the root for .org, given that .org
> >>made their plans about signing&c. long before it was clear that the
> >>root would be signed.
> >
> >	if an entity changes its crypto keys and only tells -some- of the
> >	parties who use it, that seems irresponsible to me.  the specifics
> >	of .org are outside my current understanding.
> >
> 
> Bill,
> If you publish a TA for any of your domains, how will you know if
> I or anyone else has put this TA in our configuration file?

	If you scrape the TA from somewhere w/o permission
	and use it in a manner inconsistent w/ its intended
	use, you are on very thin ice when you complain that 
	i broke things for you when i change my crypto keys.

> Furthermore how can you be sure everyone that has your TA configured,
> reads your notice that TA is going away?

	I can't.  But I do have the defensible position that 
	appropriate notice was given.  

> If a webpage/blog contains a link to a current set
> of TA's including yours, so someone will blindly copy this
> into his/her name server configuration and never rechecks.
> 
> How did you behave irresponsibly?


	I suspect that the answer to that question
	would revolve around how I distributed the TA in the 
	first place.  As a bank, I will send you your
	PIN for your pin/chip card.  If you choose to post
	your PIN on a webpage/blog and then fuss at me when
	some blackhat scrapes the PIN and pretends to be 
	you... I will tell you that it was not me that was irresponsible.


> Of course if everyone uses RFC5011 compliant software to monitor TA's,
> the Revoke bit can be used to clear the trust anchor from the 
> configurations or having the parent advertise the same TA as for at 
> least 6 months.
> 
> 	Olafur
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list