Re: [DNSOP] KSK rollover choices
Paul Vixie <paul@redbarn.org> Wed, 31 October 2018 18:54 UTC
Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F74A128BCC for <dnsop@ietfa.amsl.com>; Wed, 31 Oct 2018 11:54:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jAJnokkTblHb for <dnsop@ietfa.amsl.com>; Wed, 31 Oct 2018 11:54:52 -0700 (PDT)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 740E41277C8 for <dnsop@ietf.org>; Wed, 31 Oct 2018 11:54:52 -0700 (PDT)
Received: from [IPv6:2001:559:8000:c9:250a:9e06:4b64:de0e] (unknown [IPv6:2001:559:8000:c9:250a:9e06:4b64:de0e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 373C5892C6; Wed, 31 Oct 2018 18:54:50 +0000 (UTC)
Message-ID: <5BD9FA76.2000504@redbarn.org>
Date: Wed, 31 Oct 2018 11:54:46 -0700
From: Paul Vixie <paul@redbarn.org>
User-Agent: Postbox 5.0.25 (Windows/20180328)
MIME-Version: 1.0
To: Jim Reid <jim@rfc1035.com>
CC: Mark Andrews <marka@isc.org>, dnsop WG <dnsop@ietf.org>
References: <00E03DAE-9403-49B2-8489-6F7F35D18534@icann.org> <CAJhMdTP-bh1yeOOCS+08rAMhkgyk6yZa9tpQvZ36rR7N=RoQow@mail.gmail.com> <23511.13515.365128.519464@gro.dd.org> <23511.14092.990015.593983@gro.dd.org> <CABf5zv+1XFPWaaX1x=W5pAK7rC4HYQ2OsQ4vvoADgKaQufjmBw@mail.gmail.com> <A800B089-EC3C-4DEF-95FD-3314ACB311A5@hopcount.ca> <CABf5zvL=VJdzJybYGR6pQFpapS=A9nQuPK-+vR2T7cptRkx5AQ@mail.gmail.com> <alpine.DEB.2.20.1810301103240.24450@grey.csi.cam.ac.uk> <A54BF075-89AB-4460-B0B8-15BA18C5DC18@isc.org> <E67B15B3-76EB-4857-B400-4CEAA4E46E78@rfc1035.com> <3C97B346-B042-41D3-8E32-CFE17F305DE1@isc.org> <5E17B5C8-C385-4BFD-95A5-4A55669967AC@rfc1035.com>
In-Reply-To: <5E17B5C8-C385-4BFD-95A5-4A55669967AC@rfc1035.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/ME9dJJCQMG4L_lCMJEHIYkQEQHA>
Subject: Re: [DNSOP] KSK rollover choices
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 18:54:54 -0000
Jim Reid wrote: > >> On 31 Oct 2018, at 00:27, Mark Andrews<marka@isc.org> wrote: >> >> Bootstrap is still a issue. Over fast TA rolling makes it more of >> a issue. > > Indeed. And that's the underlying problem that needs to be fixed IMO > - for instance when/if there's an emergency rollover. bootstrappers should have https access to a complete history of root ksk, each one signed by its predecessor. this doesn't handle revocation, but nothing in dnssec handles revocation, and that's by design, and so i'm inclined not to worry about it. but that's the backup plan. the primary expectation is, devices which come off the shelf after a dnssec ksk roll will have some means of reaching and trusting their manufacturer's software update service, which will offer them a current ksk for validation. manufacturers who don't last long enough to do this, or who for whatever other reason don't do this, will be shipping future bricks. and i'm fine with that, since it's in their power to do the right thing, which is the best we can offer. -- P Vixie
- [DNSOP] Informal meeting about root KSK futures a… Paul Hoffman
- Re: [DNSOP] Informal meeting about root KSK futur… Joe Abley
- Re: [DNSOP] Informal meeting about root KSK futur… Dave Lawrence
- Re: [DNSOP] Informal meeting about root KSK futur… Dave Lawrence
- Re: [DNSOP] Informal meeting about root KSK futur… Steve Crocker
- Re: [DNSOP] Informal meeting about root KSK futur… Joe Abley
- Re: [DNSOP] Informal meeting about root KSK futur… Steve Crocker
- Re: [DNSOP] Informal meeting about root KSK futur… George Michaelson
- Re: [DNSOP] Informal meeting about root KSK futur… George Michaelson
- Re: [DNSOP] Informal meeting about root KSK futur… Paul Vixie
- Re: [DNSOP] Informal meeting about root KSK futur… Tony Finch
- Re: [DNSOP] Informal meeting about root KSK futur… Mark Andrews
- Re: [DNSOP] Informal meeting about root KSK futur… Dr Eberhard W Lisse
- Re: [DNSOP] Informal meeting about root KSK futur… Mark Andrews
- [DNSOP] KSK rollover choices Jim Reid
- Re: [DNSOP] KSK rollover choices Mark Andrews
- [DNSOP] KSK rollover choices Paul Hoffman
- Re: [DNSOP] Informal meeting about root KSK futur… George Michaelson
- Re: [DNSOP] KSK rollover choices Jim Reid
- Re: [DNSOP] KSK rollover choices Paul Vixie
- Re: [DNSOP] KSK rollover choices Joe Abley
- Re: [DNSOP] KSK rollover choices Michael StJohns
- Re: [DNSOP] KSK rollover choices Russ Housley
- Re: [DNSOP] KSK rollover choices Wes Hardaker
- Re: [DNSOP] KSK rollover choices Joe Abley
- Re: [DNSOP] KSK rollover choices Wes Hardaker