nanog mailing list archives
Re: .gov DNSSEC operational message
From: Matt Larson <mlarson () verisign com>
Date: Sun, 26 Dec 2010 12:07:03 -0500
On Thu, 23 Dec 2010, Jay Ashworth wrote:
From: "Matt Larson" <mlarson () verisign com>The new KSK will not be published in an authenticated manner outside DNS (e.g., on an SSL-protected web page). Rather, the intended mechanism for trusting the new KSK is via the signed root zone: DS records corresponding to the new KSK are already present in the root zone.That sounds like a policy decision... and I'm not sure I think it sounds like a *good* policy decision, but since no reasons were provided, it's difficult to tell. Why was that decision taken, Matt?
Having a zone's KSK statically configured on validators as a trust anchor can lead to a world of hurt: when rolling the KSK, the zone owner has to get everyone to update their trust anchor configuration. In theory, the protocol described in RFC 5011 allows an operator to signal a roll and validators will do the right thing. In practice, in these early days, you can't count on much 5011 deployment because implementations haven't been available for that long. This situation puts the operator of a popular signed zone, such as a TLD, in a difficult position and makes KSK rolls difficult--but only if the KSK is statically configured. Meanwhile, we now have a perfectly good signed root zone that can vouch for any TLD's KSK. As a result, as the impending registry operator for .gov, VeriSign doesn't want to encourage static configuration of the .gov KSK as a trust anchor. Such static configuration would be made easier and implicitly condoned if the .gov KSK were published and authenticatable outside of DNS. Note that the situation is the same today with the signed .net zone (and will be the same for the .com zone when it is signed in Q1 of 2011): the .net KSK is intentionally not published outside DNS. The path to trusting that key is via the signed DS record corresponding to it in the root zone. Matt
Current thread:
- .gov DNSSEC operational message Matt Larson (Dec 22)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 23)
- Re: .gov DNSSEC operational message Matt Larson (Dec 26)
- Re: .gov DNSSEC operational message Doug Barton (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight Doug Barton (Dec 28)
- Re: .gov DNSSEC operational message - picking a fight Tony Finch (Dec 29)
- Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 29)
- Re: .gov DNSSEC operational message Matt Larson (Dec 26)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Robert E. Seastrom (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 29)
- Re: .gov DNSSEC operational message Valdis . Kletnieks (Dec 29)
- Re: .gov DNSSEC operational message bmanning (Dec 29)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 23)