IETF Logo Mail Archive

Re: [dnsext] historal root keys for upgrade path?

Joe Abley <jabley@hopcount.ca> Fri, 28 January 2011 14:32 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 706663A6826 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 06:32:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.565
X-Spam-Level:
X-Spam-Status: No, score=-102.565 tagged_above=-999 required=5 tests=[AWL=0.034, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HsEbMfTQtB5 for <dnsext@core3.amsl.com>; Fri, 28 Jan 2011 06:32:03 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca [216.235.14.38]) by core3.amsl.com (Postfix) with ESMTP id A36F43A67B3 for <dnsext@ietf.org>; Fri, 28 Jan 2011 06:32:03 -0800 (PST)
Received: from [199.212.90.21] (helo=dh21.r2.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1PipTs-000FmB-Kl; Fri, 28 Jan 2011 14:39:25 +0000
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <AANLkTinopGbhuVHxeK9og6y7TJtL7joUnr7ykE4_G4jb@mail.gmail.com>
Date: Fri, 28 Jan 2011 09:35:00 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <530DDAE1-2C3A-4420-AC9A-6C52A13AEDB8@hopcount.ca>
References: <alpine.LFD.1.10.1101251250040.30991@newtla.xelerance.com> <4D3F233C.7000900@vpnc.org> <CAB4A416-148B-435E-A1BB-78035A1D539D@kirei.se> <alpine.LFD.1.10.1101271036560.19497@newtla.xelerance.com> <10A3D861-EC02-49FF-BBD1-44843378C9CB@icsi.berkeley.edu> <2BC28AF0-9132-4FFD-9FA6-FCEC29A1D471@hopcount.ca> <50123.1296155020@nsa.vix.com> <D442CA92-EC36-4425-B9D9-58D00E2735E4@hopcount.ca> <AANLkTinopGbhuVHxeK9og6y7TJtL7joUnr7ykE4_G4jb@mail.gmail.com>
To: Phillip Hallam-Baker <hallam@gmail.com>
X-Mailer: Apple Mail (2.1082)
X-SA-Exim-Connect-IP: 199.212.90.21
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: dnsext@ietf.org
Subject: Re: [dnsext] historal root keys for upgrade path?
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jan 2011 14:32:04 -0000

On 2011-01-27, at 18:23, Phillip Hallam-Baker wrote:

> The risk of doing such a roll would be that the ensuing chaos is then used as proof that DNSSEC is not ready for prime-time.

That is indeed a risk, and to confirm I am not in favour of rolling it speculatively or without extensive successful prior experimentation and testing.

A benefit of a successful, controlled roll is that we could perhaps worry less about widespread failure in the event that we need to do an emergency roll.

I'll note that this is probably not the list to debate these things.


Joe

v2.23.0 | Report a Bug | By Email