[dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

Ondřej Surý ondrej.sury at nic.cz
Mon Jun 6 10:02:25 UTC 2016

No matter what, the KSK is going to be rolled, so it's futile to resist at this moment.

For a background see:

1. https://www.icann.org/resources/pages/ksk-rollover
2. https://www.iana.org/reports/2016/root-ksk-rollover-design-20160307.pdf

This "The IANA Functions Contract requires ICANN to perform a Root Zone KSK rollover" mostly answers your question, but I agree it's good to practice a Root KSK rollover for operational purposes now and to change the algorithm in the future.


 Ondřej Surý -- Technical Fellow
 CZ.NIC, z.s.p.o.    --     Laboratoře CZ.NIC
 Milesovska 5, 130 00 Praha 3, Czech Republic
 mailto:ondrej.sury at nic.cz    https://nic.cz/

----- Original Message -----
> From: "Florian Weimer" <fweimer at redhat.com>
> To: "Paul Wouters" <paul at nohats.ca>, "Jan Včelák" <jan.vcelak at nic.cz>
> Cc: dns-operations at dns-oarc.net
> Sent: Monday, June 6, 2016 11:20:49 AM
> Subject: Re: [dns-operations] Sad news today: systemd-resolved to be deployed in Ubuntu 16.10

> On 06/05/2016 08:31 PM, Paul Wouters wrote:
>> On Fri, 3 Jun 2016, Jan Včelak wrote:
>>> I don't think this is necessarily a negative score point for systemd.
>>> I already trust my Linux distribution in what they are shipping. I don't
>>> mind whether it is a list of certification authorities or trust anchor
>>> for DNSSEC. For me, the trust point is the distribution signing key. And
>>> the package I can audit. I don't really fancy some software pulling in
>>> another trust anchor.
>> If your machine is offline for the months during with a KSK rollover
>> happens, can you get online with enough DNS to update your OS to get
>> an updated trust anchor?
> I still don't understand this.
> Why would you do a KSK rollover if they key isn't compromised?  And if
> the KSK *is* compromised, you don't want to perform an automated update.
> Florian
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list