IETF Logo Mail Archive

Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key

manning <bmanning@karoshi.com> Tue, 30 June 2015 14:22 UTC

Return-Path: <bmanning@karoshi.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1351A905D for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 07:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3qCC4tDO214j for <dnsop@ietfa.amsl.com>; Tue, 30 Jun 2015 07:22:17 -0700 (PDT)
Received: from vacation.karoshi.com (vacation.karoshi.com [198.32.6.68]) by ietfa.amsl.com (Postfix) with ESMTP id 5B1C71A906E for <dnsop@ietf.org>; Tue, 30 Jun 2015 07:21:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by vacation.karoshi.com (Postfix) with ESMTP id BDA45A043A8; Tue, 30 Jun 2015 07:21:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at karoshi.com
Received: from vacation.karoshi.com ([127.0.0.1]) by localhost (vacation.karoshi.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFcs6S_UnNTN; Tue, 30 Jun 2015 07:21:40 -0700 (PDT)
Received: from [198.32.4.206] (unknown [198.32.4.206]) by vacation.karoshi.com (Postfix) with ESMTPSA id 83324A0439E; Tue, 30 Jun 2015 07:21:40 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
Content-Type: text/plain; charset="us-ascii"
From: manning <bmanning@karoshi.com>
In-Reply-To: <alpine.LSU.2.00.1506301453160.32296@hermes-1.csi.cam.ac.uk>
Date: Tue, 30 Jun 2015 07:22:04 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <B1546247-6557-4AC7-950B-940D8503AC30@karoshi.com>
References: <CAHw9_iKmhA+f8QyuLkWeXQDfwprydVaGkR+LVJACGtsTB0+Pfw@mail.gmail.com> <55929AE2.50105@sinodun.com> <alpine.LSU.2.00.1506301453160.32296@hermes-1.csi.cam.ac.uk>
To: Tony Finch <dot@dotat.at>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/9E2gOICvhDLFVubw6TmXXfV7l8U>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Simplified Updates of DNS Security Trust Anchors, for rolling the root key
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 14:22:27 -0000

unless, of course, DNSSEC allowed for signing individual records instead of zones.

manning
bmanning@karoshi.com
PO Box 12317
Marina del Rey, CA 90295
310.322.8102



On 30June2015Tuesday, at 6:57, Tony Finch <dot@dotat.at> wrote:

> John Dickinson <jad@sinodun.com> wrote:
>> 
>> I have been planning to write a draft to address 1 by having validators send
>> the DS of known TA's in an edns0 option code. This info, could then be logged
>> by the authoritative nameservers.
> 
> Good idea, though just the key tags should be enough. (I think key
> management software ensures that tags don't collide.) If you only include
> the EDNS option when querying for the DNSKEY RRset then that tells the
> server which zone to the trust anchor key tags belong to.
> 
> Tony.
> -- 
> f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
> Forties, Cromarty, Forth, Tyne, Dogger: South or southeast 4 or 5, increasing
> 6 at times. Slight or moderate. Mainly fair. Moderate or good.
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.23.0 | Report a Bug | By Email