[dnsext] historal root keys for upgrade path?

Paul Wouters <paul@xelerance.com> Tue, 25 January 2011 17:50 UTC

Return-Path: <paul@xelerance.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D28B43A6825 for <dnsext@core3.amsl.com>; Tue, 25 Jan 2011 09:50:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.574
X-Spam-Level:
X-Spam-Status: No, score=-2.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bGnlGeQ7ZfLP for <dnsext@core3.amsl.com>; Tue, 25 Jan 2011 09:50:15 -0800 (PST)
Received: from newtla.xelerance.com (newtla.xelerance.com [193.110.157.143]) by core3.amsl.com (Postfix) with ESMTP id 379173A680E for <dnsext@ietf.org>; Tue, 25 Jan 2011 09:50:15 -0800 (PST)
Received: from tla.xelerance.com (tla.xelerance.com [193.110.157.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by newtla.xelerance.com (Postfix) with ESMTP id 0A78AC535 for <dnsext@ietf.org>; Tue, 25 Jan 2011 12:53:12 -0500 (EST)
Date: Tue, 25 Jan 2011 12:53:11 -0500
From: Paul Wouters <paul@xelerance.com>
To: dnsext List <dnsext@ietf.org>
Message-ID: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com>
User-Agent: Alpine 1.10 (LFD 962 2008-03-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="US-ASCII"
Subject: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jan 2011 17:50:17 -0000

A very large router vendor is about to make it mandatory that new devices
they produce use dnssec by default. One issue that comes up with that
is what happens if these devices were off long enough for a rollover to
have happened and the RFC5011 bit/key has been retired.

Are there plans to create a zone with all old root keys, that all sign the
DNSKEY RRset (eg rootkeys.root-servers.net) so that having ANY one old root
key could lead you to get a signed version of the latest root key? This way
you could disable DNSSEC to resolve rootkeys.root-servers.net, use your
current key to confirm the latest key, configure it, and drop the cache,
and you're golden.

Is something like this even possible? I'm not sure what happens to the
root private keys once they are retired...

Paul