[dns-operations] [Dnssec-deployment] [ENUM-NL] DNSSEC trust-anchor notice for 1.3.e164.arpa.
Antoin Verschuren
Antoin.Verschuren at sidn.nl
Mon Jan 10 14:59:25 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The key in our current zone was explicitly stated not to be used as a trust anchor yet:
https://www.enum.nl/nl/dnssec/dnssec-status-for-13e164arpa.html
That's why we don't expect users to have this configured.
This message is therefore only informational, as we promised changes to our policy to be published on the relevant mailinglists.
We tested rollovers for this zone already with this not to be trusted key.
Our first intention was to have this key to be used as a trust anchor, as the root was not ready yet.
Now that we are ready to submit our key to our parent, and the root is signed, we see no need to state our own trust anchor, so our policy changed.
Since we will also replace our signing infrastructure, and the current key is not to be trusted anyway, we decided to start with a new key altogether.
Antoin Verschuren
Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/
> -----Original Message-----
> From: dns-operations-bounces at lists.dns-oarc.net [mailto:dns-operations-
> bounces at lists.dns-oarc.net] On Behalf Of Doug Barton
> Sent: Saturday, January 08, 2011 3:39 AM
> To: Marco Davids
> Cc: dnssec at dnssec.nl; dns-operations at lists.dns-oarc.net; enum-wg at ripe.net;
> dnssec-deployment at dnssec-deployment.org
> Subject: Re: [dns-operations] [Dnssec-deployment] [ENUM-NL] DNSSEC trust-
> anchor notice for 1.3.e164.arpa.
>
> On 01/07/2011 03:23, Marco Davids (SIDN) wrote:
>
> > Since we anticipate that only very few people have actually configured
> > the present trust-anchor (if any), we will *not* perform a full-blown
> > key roll-over. Instead we will simply remove the old key and introduce a
> > new one.
>
> With all due respect, I think this is the wrong approach. :) If your
> assessment is correct and very few people have the key configured IMO
> now is the perfect time to practice doing a proper rollover.
>
> > The new trust-anchor will not be published in an authenticated manner
> > outside DNS (for example on an SSL-protected web page as before),
> > because it will have it's DS record in the parent.
>
> Assuming that there is a trust path all the way from this zone to the
> root, that's not only Ok, (once again IMO) that's preferable.
>
>
> Doug
>
> --
>
> Nothin' ever doesn't change, but nothin' changes much.
> -- OK Go
>
> Breadth of IT experience, and depth of knowledge in the DNS.
> Yours for the right price. :) http://SupersetSolutions.com/
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-----BEGIN PGP SIGNATURE-----
Version: 9.6.3 (Build 3017)
wsBVAwUBTSsezTqHrM883AgnAQgDSwf8Do9RhARTaqtTWkTsmbLpF4cCBrkSuxki
gPGJTnumBYSgYwwrsTRYvMHONXQSB7iFvypsLSdnDhb0eLg5ueq4nsfp99oed0GL
K3SQPnqc609WCWKqQqklQiSAHzVLbsvp9IFBSuwKEUnlw8ono/CrGzp06izGxFe4
1S1Nig5/NE4rgiUbTIFw9XU33rEJTuyGvlRQeKXZ5Rn4CEXUXCZoZ9vrt/ZBN54K
xhReLrMNjmfMVy5M0N/aWa0CY3bBh3avYXNgExCEMO4kGReriUFO239/YZkFcys2
aEVRLzPRRzZmHgdSKugiUtFWvqggrNTKiQ8qDyVvt8+veLmX/TRAAg==
=bMEw
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110110/aecd7b30/attachment.html>
More information about the dns-operations
mailing list