IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Brian Dickson <brian.peter.dickson@gmail.com> Thu, 27 January 2011 17:46 UTC

Return-Path: <brian.peter.dickson@gmail.com>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FB4A3A69B2 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 09:46:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.109
X-Spam-Level:
X-Spam-Status: No, score=-3.109 tagged_above=-999 required=5 tests=[AWL=0.490, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jgghG-SygXYs for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 09:46:15 -0800 (PST)
Received: from mail-fx0-f44.google.com (mail-fx0-f44.google.com [209.85.161.44]) by core3.amsl.com (Postfix) with ESMTP id 672113A6996 for <dnsext@ietf.org>; Thu, 27 Jan 2011 09:46:15 -0800 (PST)
Received: by fxm9 with SMTP id 9so2631162fxm.31 for <dnsext@ietf.org>; Thu, 27 Jan 2011 09:49:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=qW7+eFsPeQ1t3DMElFg6hbO6TZ1AwEGylD5tU0WEBkA=; b=qfD1YO4yfgyTEqRqS7wlYcvbWrK6Qi+eNMM775KlU3DNLWBzB6EXGJ8CFy8MEIT6kZ H6ZmAIk1OnIDqJJ9AtU/mCQCbhGNVRL1QWx5W4kNuNnkzMAsOn0J/tRaS8NzAa87v4j3 il28ya+6yD/nzxbtqLk5/J296rWFactUW/VPE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=xpLtubko4qkoHzNfw1gox4sC+AS4htrYWzhje79OSAJZw2ru8KjCp+GrN/CwsE7IOw aQjzBsx/QLngjLGVa96iSdfY/rXinYwOSiDl0BuuzTSjNl46CxeLafO3qBiGh1v9F77O nNUZm/Ii5RNBBFBDS0W3Rt93vFrRQDk3MS7vg=
MIME-Version: 1.0
Received: by 10.223.123.142 with SMTP id p14mr1224018far.56.1296150558502; Thu, 27 Jan 2011 09:49:18 -0800 (PST)
Received: by 10.223.108.71 with HTTP; Thu, 27 Jan 2011 09:49:18 -0800 (PST)
In-Reply-To: <82vd1amfjm.fsf@mid.bfk.de>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <alpine.LFD.1.10.1101251510140.30991@newtla.xelerance.com> <alpine.LSU.2.00.1101261442120.3329@hermes-1.csi.cam.ac.uk> <AANLkTinCB-d2HWGY4kSOmfSCMNQ-D61keEE+1poTu11g@mail.gmail.com> <alpine.LFD.1.10.1101260958490.30991@newtla.xelerance.com> <82vd1amfjm.fsf@mid.bfk.de>
Date: Thu, 27 Jan 2011 13:49:18 -0400
Message-ID: <AANLkTi=eOGd0Ce0ei-c_MysqbHpp7NUWFPc-xCpt=muq@mail.gmail.com>
From: Brian Dickson <brian.peter.dickson@gmail.com>
To: Florian Weimer <fweimer@bfk.de>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Paul Hoffman <paul.hoffman@vpnc.org>, dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 17:46:16 -0000

On Thu, Jan 27, 2011 at 1:18 PM, Florian Weimer <fweimer@bfk.de> wrote:
> * Paul Wouters:
>
>> Remember this has to work on a product that has just been factory
>> defaulted to a config from 10 years ago, and the device is EOL with
>> no firmware upgrades.
>
> Why?  Where does this requirement come from?

Operational reality...

There are two resource issues.

One is network engineers who are DNSSEC-knowledgeable.
(In numbers, routers >> managed customers >> noc staff >> network
engineers >> DNS network engineers >> DNSSEC network engineers.)

The other is the life of a "factory default config".

It goes from $vendor, to $flash-vendor, to $mfg, to $shipping, to
$customs, to $distributor, to $customer.
In some cases, $customer has a large inventory, to supply their $end-customers.
And in some cases, $end-customer has both a live router, and cold
spare (in a box), purchased at the same time. Think MTBF...

So, there are cases where both large numbers of $customer get a new
box, which has a slightly-outdated trust anchor (because roll-over
happened during the supply chain process), and where moderate numbers
of $customer eventually have a "new" box which is quite old.

Solving for one solves for both, ideally.

Regardless of oversimplification, having $vendor ship all routers with
DNSSEC not only supported, but enabled by default, should be
commended.

We complain about adoption delays. This, we should be falling over
ourselves to assist on, or never, ever complain again about adoption.
Seriously.

Brian

v2.23.0 | Report a Bug | By Email