IETF Logo Mail Archive

[dnsext] A question about the need for "historical keys"

Edward Lewis <Ed.Lewis@neustar.biz> Fri, 28 January 2011 18:07 UTC

Return-Path: <Ed.Lewis@neustar.biz>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDB393A6889 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 10:07:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.275
X-Spam-Level:
X-Spam-Status: No, score=-102.275 tagged_above=-999 required=5 tests=[AWL=0.324, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-9CvH7EbUBs for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 10:07:44 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by core3.amsl.com (Postfix) with ESMTP id E8F4B3A6859 for <dnsext@ietf.org>; Fri, 28 Jan 2011 10:07:43 -0800 (PST)
Received: from Work-Laptop-2.local (gatt.md.ogud.com [10.20.30.6]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id p0SIAgBp008901; Fri, 28 Jan 2011 13:10:43 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.200.110] by Work-Laptop-2.local (PGP Universal service); Fri, 28 Jan 2011 13:10:49 -0500
X-PGP-Universal: processed; by Work-Laptop-2.local on Fri, 28 Jan 2011 13:10:49 -0500
Mime-Version: 1.0
Message-Id: <a06240802c968b4fefc24@[10.31.200.110]>
In-Reply-To: <4D430265.8020100@cisco.com>
References: <4D41D3E2.6060107@cisco.com> <3125F45F-7594-498F-AFA3-D2D738A228F5@hopcount.ca> <4D42ED13.5030000@cisco.com> <562C7583-B719-482F-B201-EFB54138BAF1@icsi.berkeley.edu> <E4865E48-383B-4591-AF27-34571C4AA367@nominum.com> <4D430265.8020100@cisco.com>
Date: Fri, 28 Jan 2011 13:08:28 -0500
To: dnsext@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Scanned-By: MIMEDefang 2.68 on 10.20.30.4
Cc: ed.lewis@neustar.biz
Subject: [dnsext] A question about the need for "historical keys"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 18:07:45 -0000

This question is mostly aimed at Paul Wouter and others that are 
pushing for a DNS-based mechanism to update keys.

Why is the updating of the DNSSEC root-zone KSK different than 
updating any other piece of data, configuration, or code (soft or 
firmware) in a dormant piece of equipment?

I ask this to see if there is some requirement that leads to a 
crafted solution for this problem.  I just don't see that this is a 
special case, we have other ways to update stuff already.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

With a week old newborn at home, I've discovered that the only 
difference between him and me is that I have to go to work daily. 
That's not fair!  Ma!

v2.23.0 | Report a Bug | By Email