IETF Logo Mail Archive

Re: [DNSOP] public consultation on root zone KSK rollover

Joe Abley <jabley@hopcount.ca> Sat, 06 April 2013 09:04 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1BF821F8CC9 for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.6
X-Spam-Level:
X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60EH9AMLBdyT for <dnsop@ietfa.amsl.com>; Sat, 6 Apr 2013 02:04:13 -0700 (PDT)
Received: from mail-qc0-x229.google.com (mail-qc0-x229.google.com [IPv6:2607:f8b0:400d:c01::229]) by ietfa.amsl.com (Postfix) with ESMTP id 5217721F8C4F for <dnsop@ietf.org>; Sat, 6 Apr 2013 02:04:13 -0700 (PDT)
Received: by mail-qc0-f169.google.com with SMTP id t2so385583qcq.0 for <dnsop@ietf.org>; Sat, 06 Apr 2013 02:04:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hopcount.ca; s=google; h=x-received:references:from:mime-version:in-reply-to:date:message-id :subject:to:cc:content-type; bh=nLiiO57fMx3k/7wdgSjQSR1/mGh4ME/snoCWg6H/jLI=; b=dBzQjo4Guz1aZlTbY4gKtsE3jI5moCYkCPhTVErlW8PWPBYGqKeDBb+lLgjD8liV3L /h9bk7kukYLHUkBqvLvCxVyfRQyuzLc9i8Idh9EmpJGQMc4YnXlIwm0AuyPDiRx5sFTl IKKNVjC7JSrXN0tjurnYlYNOTwzBTnnQjLX4U=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:references:from:mime-version:in-reply-to:date:message-id :subject:to:cc:content-type:x-gm-message-state; bh=nLiiO57fMx3k/7wdgSjQSR1/mGh4ME/snoCWg6H/jLI=; b=U03hzUX0PtwxiG8J168dLfYyjK7eFh1ZCOGh0H5ShBKCh1VGnZTDdzbzpf5Qt1n40q cTiF3QIHWqD6Sc2PqmsKSdIJSwRY4aDz64BHy8TXAl/lXnzuU10y1G5lgqWxrTecT8cB /O2wv9Qgt6wtuOpg8G+HftLLGKYA7STS7j868+Hj09Ac07TsBiT2/f6yOuu7L4OKzUbp rnRCIW+l0Tvmtk5KbYPbK7nishwbwkTPDRdru7MdX39Hs0KBzTVnTDrlwsVoChWKZjrb p+JgEx5edZH8ygkF4lj/NjP7Osjtgbzyi1e7eV6zwRmq6VKFqYnMgVVUztznWfG1FGVJ mrUw==
X-Received: by 10.224.51.18 with SMTP id b18mr1040732qag.50.1365239052715; Sat, 06 Apr 2013 02:04:12 -0700 (PDT)
References: <87B5FB9E-755D-4E75-A54E-7A17B6AAF21A@hopcount.ca> <8D361F63-C433-4B11-BC26-37D1F550D463@vpnc.org> <20130403151735.GA20820@nic.fr> <20130403163826.GA46759@isc.org> <76E16FA9-84E0-4091-9ECA-5DB0A5BCA90A@dotat.at>
From: Joe Abley <jabley@hopcount.ca>
Mime-Version: 1.0 (1.0)
In-Reply-To: <76E16FA9-84E0-4091-9ECA-5DB0A5BCA90A@dotat.at>
Date: Sat, 06 Apr 2013 17:04:09 +0800
Message-ID: <8811862356902250422@unknownmsgid>
To: Tony Finch <dot@dotat.at>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQnE+SmsEH4Uugk8Ar76MarRQB+duf2SV25ObosjSj21zDB1HyVyu/1MVIghAEgbFK6adS9i
Cc: Evan Hunt <each@isc.org>, "dnsop@ietf.org WG" <dnsop@ietf.org>, Paul Hoffman <paul.hoffman@vpnc.org>
Subject: Re: [DNSOP] public consultation on root zone KSK rollover
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2013 09:04:14 -0000

On 2013-04-06, at 16:55, Tony Finch <dot@dotat.at> wrote:

> On 3 Apr 2013, at 17:38, Evan Hunt <each@isc.org> wrote:
>>
>> Then there's the issue Paul mentioned -- gear configured with a root KSK
>> that gets switched off and not rebooted for a few months or years, and then
>> no longer works and can't recover.
>
> Validator vendors have to provide an out-of-band trust anchor update mechanism to cope with this. It needs to be coded and included in long-term support releases of validators and operating systems before rollover, I think.

draft-jabley-dnsop-validator-bootstrap.

> I am not sure if ICANN intend their trust anchor download server to be used for this purpose or if vendors are expected to provision their own mirrors.

Our server is fine. Others' servers are also fine, although we would
likely prefer to wrap some small process around contact info,
notifications when there is new content, etc.

> I also don't know how to assess the trustworthiness of ICANN's signatures on the trust anchor.

draft-jabley-dnsop-validator-bootstrap. There is some work required on
the details, but the intended direction should be clear.


Joe

v2.23.0 | Report a Bug | By Email