IETF Logo Mail Archive

Re: [DNSOP] public consultation on root zone KSK rollover

Ralf Weber <Ralf.Weber@nominum.com> Sat, 06 April 2013 09:32 UTC

Return-Path: <Ralf.Weber@nominum.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AC3321F8B65 for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:32:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCgfEDhRMGzn for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:32:42 -0700 (PDT)
Received: from exprod7og104.obsmtp.com (exprod7og104.obsmtp.com [64.18.2.161]) by ietfa.amsl.com (Postfix) with ESMTP id 8B58721F8B45 for <dnsop@ietf.org>; Sat, 6 Apr 2013 02:32:42 -0700 (PDT)
Received: from shell-too.nominum.com ([64.89.228.229]) (using TLSv1) by exprod7ob104.postini.com ([64.18.6.12]) with SMTP ID DSNKUV/ruqFstVWlcBhGQFUFTZGY5bVpYh/4@postini.com; Sat, 06 Apr 2013 02:32:42 PDT
Received: from archivist.nominum.com (archivist.nominum.com [64.89.228.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by shell-too.nominum.com (Postfix) with ESMTP id EE9EF1B8724 for <dnsop@ietf.org>; Sat, 6 Apr 2013 02:32:41 -0700 (PDT)
Received: from webmail.nominum.com (cas-01.win.nominum.com [64.89.228.131]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client CN "mail.nominum.com", Issuer "Go Daddy Secure Certification Authority" (verified OK)) by archivist.nominum.com (Postfix) with ESMTPS id E1CF319005D; Sat, 6 Apr 2013 02:32:41 -0700 (PDT) (envelope-from Ralf.Weber@nominum.com)
Received: from MBX-01.WIN.NOMINUM.COM ([64.89.228.133]) by CAS-01.WIN.NOMINUM.COM ([64.89.228.131]) with mapi id 14.02.0318.004; Sat, 6 Apr 2013 02:32:41 -0700
From: Ralf Weber <Ralf.Weber@nominum.com>
To: Tony Finch <dot@dotat.at>
Thread-Topic: [DNSOP] public consultation on root zone KSK rollover
Thread-Index: AQHOMqmvnFraqv2QjkScyH/h8dxNcQ==
Date: Sat, 06 Apr 2013 09:32:41 +0000
Message-ID: <4359B40FE8E82C4BA840D73427B8A45875C60E94@mbx-01.win.nominum.com>
References: <87B5FB9E-755D-4E75-A54E-7A17B6AAF21A@hopcount.ca> <8D361F63-C433-4B11-BC26-37D1F550D463@vpnc.org> <alpine.LFD.2.10.1304031109290.28075@bofh.nohats.ca> <43A8B5EA-7C4A-4C53-8479-075C85428EE4@dotat.at>
In-Reply-To: <43A8B5EA-7C4A-4C53-8479-075C85428EE4@dotat.at>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.1.10]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <115A9955BE64CD40ACE597217BA637AB@nominum.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, Paul Wouters <paul@nohats.ca>, Paul Hoffman <paul.hoffman@vpnc.org>, Joe Abley <jabley@hopcount.ca>
Subject: Re: [DNSOP] public consultation on root zone KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 09:32:43 -0000

Moin!

On 06.04.2013, at 11:04, Tony Finch <dot@dotat.at> wrote:
> On 3 Apr 2013, at 16:11, Paul Wouters <paul@nohats.ca> wrote:
> 
>> It's the vendors of equipment supporting DNSSEC that have
>> the real issues. If they shipped with a root anchor, and their stuff
>> is offline for 5 years and turned on, their DNS will be broken and 5011
>> isn't going to be useful to them.....
> 
> The real problem occurs when the latest release of the validator software was published before the rollover, and you install it after the rollover. It is perfectly reasonable to install software that is a few months old.
I don't think that this is the real problem. The real problem is when a validator has a history of 5011 keys and gets shut down for a year or a couple of months while the root KSK rolls.

Initially it might be better for validators instead of being shipped with a Key to follow draft-jabley-dnssec-trust-anchor to get the initial root key. There are some implementations out there that already do this.

I think it might be good to extend draft-jabley-dnsop-validator-bootstrap to also cover problems introduced by root KSK rollover in order to give people guidance in case their bootstrap process is stuck.

I'll also add these comments to the ICANN root key roll consultation page later (just returned from vacation).

So long
-Ralf
---
Ralf Weber
Senior Infrastructure Architect
Nominum Inc.
2000 Seaport Blvd. Suite 400 
Redwood City, California 94063
ralf.weber@nominum.com

v2.23.0 | Report a Bug | By Email