Re: [dnsext] historal root keys for upgrade path?

Jakob Schlyter <jakob@kirei.se> Thu, 27 January 2011 15:14 UTC

Return-Path: <jakob@kirei.se>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 33A143A68E2 for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 07:14:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.235
X-Spam-Level:
X-Spam-Status: No, score=-2.235 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2M8TtxO2RAKP for <dnsext@core3.amsl.com>; Thu, 27 Jan 2011 07:14:26 -0800 (PST)
Received: from spg.kirei.se (gomi.kirei.se [91.206.174.9]) by core3.amsl.com (Postfix) with ESMTP id 8C3433A68E7 for <dnsext@ietf.org>; Thu, 27 Jan 2011 07:14:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kirei.se; s=spg20100524; h=received:subject:mime-version:content-type:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to:x-mailer; bh=5v7+ZKNeIreWnk9uh8LRQpygfmN1hr/ShlgCfrPLMcg=; b=JbtO9+8if9d/UmlSX9lyCywNsUDN3qa8PgDFSiZasTEm7zTzue4pcARNpKm1zxLuUjYBCnriyFg7v sAQsLNwr95ffFT4yXD/KthVToL84EIx2xPeJaa4Vp7IQJZPI0VrvppRPuYDd5CuV8ewAOE71tQNyzp lM+gDEwUFes9Oipo=
Received: from mail.kirei.se (unknown [91.206.174.10]) by spg.kirei.se (Halon Mail Gateway) with ESMTPS; Thu, 27 Jan 2011 16:17:26 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Jakob Schlyter <jakob@kirei.se>
In-Reply-To: <4D3F233C.7000900@vpnc.org>
Date: Thu, 27 Jan 2011 16:17:21 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <CAB4A416-148B-435E-A1BB-78035A1D539D@kirei.se>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org>
To: Paul Hoffman <paul.hoffman@vpnc.org>
X-Mailer: Apple Mail (2.1082)
Cc: dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jan 2011 15:14:27 -0000

On 25 jan 2011, at 20.23, Paul Hoffman wrote:

> Bootstrapping is hard, but once you have done it, you can reuse the trust logic you used to do it again.

Unbound [1] has a very elaborate way (see the source code [2] of unbound-anchor) of maintaining the root trust anchor.

	jakob


[1] http://www.unbound.net/documentation/unbound-anchor.html
[2] http://unbound.nlnetlabs.nl/svn/trunk/smallapp/unbound-anchor.c