nanog mailing list archives
Re: Root Zone DNSSEC Deployment Technical Status Update
From: Joe Abley <jabley () hopcount ca>
Date: Fri, 23 Jul 2010 05:52:58 +0200
Hi Leo, Late reply! Sorry. Have been neglecting this folder. On 2010-07-16, at 16:53, Leo Bicknell wrote:
In a message written on Fri, Jul 16, 2010 at 02:35:39PM +0000, Joe Abley wrote:The transition from Deliberately-Unvalidatable Root Zone (DURZ) to production signed root zone took place on 2010-07-15 at 2050 UTC. The first full production signed root zone had SOA serial 2010071501. There have been no reported harmful effects. The root zone trust anchor can be found at <https://data.iana.org/root-anchors/>.Perhaps you could explain why the keys are being made available in formats that, as far as I can tell, no nameserver software on the planet uses?
There seem to be two related issues, here: 1. Why use a format that is non-native to any particular implementation? We made the decision to publish the trust anchor in a vendor-independent fashion. We also wanted a way of publishing a full set of current plus historic trust anchors (for which there is no obvious prior art). The XML representation you've seen has the advantage that precisely because it is not in a format directly amenable to cut and paste (although obviously you can scrape the RDATA out of it easily; it's just a text file) there's reduced risk that someone would paste an old trust anchor into a validator's configuration and experience great user hilarity. We have already seen people produce tools which can process the XML-published trust anchor set to configure validators. No doubt we will see more tools in future. Maybe some vendors will decide to support it directly. 2. Why publish the trust anchor as a hash of the public key (DS RDATA) rather than the public key itself (DNSKEY RDATA)? Because as far as we can identify, that's the consensus in the relevant IETF working groups for how trust anchors should be published. I've heard the argument both ways. Don't shoot the messenger. On a more general note we first published the document which described the trust anchor format back in January, and since then we've been soliciting input on that (and other documents) in more or less every ops meeting and ops mailing list you could mention. We got zero feedback on that document, and perhaps unreasonably we interpreted that as a lack of concern over (e.g.) the point you mentioned. Here's a link to the final version: http://www.root-dnssec.org/wp-content/uploads/2010/07/draft-icann-dnssec-trust-anchor-01.txt Joe
Current thread:
- Re: Root Zone DNSSEC Deployment Technical Status Update, (continued)
- Re: Root Zone DNSSEC Deployment Technical Status Update Mike (Jul 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Chris Adams (Jul 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Tony Finch (Jul 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Joel Jaeggli (Jul 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Jeffrey Ollie (Jul 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Joel Jaeggli (Jul 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Tony Finch (Jul 18)
- Re: Root Zone DNSSEC Deployment Technical Status Update Bjørn Mork (Jul 22)
- Re: Root Zone DNSSEC Deployment Technical Status Update Chris Adams (Jul 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Edward Lewis (Jul 16)
- Re: Root Zone DNSSEC Deployment Technical Status Update Joe Abley (Jul 22)