Re: [DNSOP] IETF meeting prep and what

Joe Abley <> Wed, 30 June 2021 19:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F5123A26F4 for <>; Wed, 30 Jun 2021 12:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 26rscbrsKyAa for <>; Wed, 30 Jun 2021 12:04:38 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::836]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 23CD93A26F6 for <>; Wed, 30 Jun 2021 12:04:38 -0700 (PDT)
Received: by with SMTP id y9so2257765qtx.9 for <>; Wed, 30 Jun 2021 12:04:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BOipwmfnPgnxV+xz5q9keV9SziEeo669LQWO55aIKDs=; b=ZlTeWWBNzzyTq8x2qyCsobfao7fNZ3I3ecfqvpDFJ4TJJb5srknzFk+nL0elc13l9U 3FzeHLR24DSndHxqmzQGunGYiPqyhibsIpvdQtu4pedslGnK/e2Y60Img0A0pK3bMElH IgcMrlIEJMWgl13Tjzg1VLsUwwcOQVKI2k1wc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BOipwmfnPgnxV+xz5q9keV9SziEeo669LQWO55aIKDs=; b=jLen9A+KOUADPDqqjaQjF5upZJVDlPPe6b9qqdEwsAYip2sEvJlBIC9oh0GOvHMQ8g ar0vmi764W0/bMjUH+RiJU9AYS7Y7joAq66R7V5TNzIKrjubVMmsVlo1/OyzUNAY8R5R zxcN0PZml0krdSbT4BJZFmF3aTn6rve9Qsc/K6uLzkPuRwwGykLPy/trik8rcYKdKjir 6IR4gMmu80vs7a/7baDANoa7iddZyr/bDQNtb4fF74b7ffNTj/8sN4r7u8JA1TllH+3v L7O4Eso1XSqTyhLq3EkingU4yB7Z+W+IALA0QVWk6p93ihhNLqrCN0kzsmXkNPJOIDtj yYAw==
X-Gm-Message-State: AOAM5329gt3hWNRPyCrJcxBiBI3/lh3bWRbv+J1Jfj3YtYhHQgfCBaD+ 9+no+lXuN89Cduqs7/c4j7zMxtwuObqw5vVxVPw=
X-Google-Smtp-Source: ABdhPJwTDTTmzXq6i3ZYYeHMUOnxcPKGucd+kZoCFE7CVz2sT/YMwWedq/we0SpkyXWyq4yDrDYZdQ==
X-Received: by 2002:ac8:7482:: with SMTP id v2mr25228386qtq.84.1625079876807; Wed, 30 Jun 2021 12:04:36 -0700 (PDT)
Received: from ([2607:f2c0:e784:c7:3902:b147:2d3b:470b]) by with ESMTPSA id d136sm5817233qkc.110.2021. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 30 Jun 2021 12:04:36 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
From: Joe Abley <>
In-Reply-To: <>
Date: Wed, 30 Jun 2021 15:04:35 -0400
Cc: dnsop <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Peter van Dijk <>
X-Mailer: Apple Mail (2.3654.
Archived-At: <>
Subject: Re: [DNSOP] IETF meeting prep and what
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Jun 2021 19:04:43 -0000

On 30 Jun 2021, at 14:59, Peter van Dijk <> wrote:

> I feel that the right mechanism for root key distribution is software distributors. This is working fine for the CA system, and with keys announced far enough in advance, should work fine for DNSSEC. Software distributors have solved this problem; they are very good at distributing things; I suggest we let them solve this for us.

We actually spent some time back in 2009/2010 packaging trust anchors in a way that could take advantage of existing (e.g. code-signing) PKIs, specifically to facilitate distribution to software vendors. I haven't checked very recently, but I don't think there was any sign that the mechanism was being used by anybody in the decade or so that followed. See RFC 7958 section 2.3.

I mention this simply because it was our best guess at the time at how to distribute trust anchors securely (with a respectable chain of custody) from the KMF in which the keys were generated right through to the code publication pipeline operated by software vendors. Quite possibly it was a bad guess.