IETF Logo Mail Archive

Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>

"W.C.A. Wijngaards" <wouter@nlnetlabs.nl> Tue, 06 October 2015 08:52 UTC

Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3F251B3D92 for <dnsop@ietfa.amsl.com>; Tue, 6 Oct 2015 01:52:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.916
X-Spam-Level:
X-Spam-Status: No, score=-4.916 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lso-yBeQbE4d for <dnsop@ietfa.amsl.com>; Tue, 6 Oct 2015 01:52:48 -0700 (PDT)
Received: from dicht.nlnetlabs.nl (open.nlnetlabs.nl [185.49.140.10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E89DD1B3D8E for <dnsop@ietf.org>; Tue, 6 Oct 2015 01:52:47 -0700 (PDT)
Received: by dicht.nlnetlabs.nl (Postfix, from userid 58) id 241A4735B; Tue, 6 Oct 2015 10:52:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1444121566; bh=d5P5/r8NPnONL/P/JZipCOzDo06nUouGVsNbYgue94s=; h=Date:From:To:Subject:References:In-Reply-To; b=DlzfRsRm51vDX1pRSMs1TMlwvL17eRac1S93Dnlts5uBjs58U+8U0ijLB+KCQh3as 5BawO/WD9hNjY18uv8kqTpVZnGeKZ5hSt1W+jCqePu5kB0Xt7HFTDPpF7sLefskxk0 RMJgGF6WRg3fCQSZItjrBCodk3KQawhXKBiigBYM=
Received: from axiom.nlnetlabs.nl (unknown [IPv6:2a04:b900:0:1:222:4dff:fe55:4d46]) by dicht.nlnetlabs.nl (Postfix) with ESMTPSA id 999727359 for <dnsop@ietf.org>; Tue, 6 Oct 2015 10:52:43 +0200 (CEST)
Authentication-Results: dicht.nlnetlabs.nl; dmarc=none header.from=nlnetlabs.nl
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nlnetlabs.nl; s=default; t=1444121563; bh=d5P5/r8NPnONL/P/JZipCOzDo06nUouGVsNbYgue94s=; h=Date:From:To:Subject:References:In-Reply-To; b=qVtgXyzNDlCxFAMoxGye+KbGA9c7UfjeQuiLpaUT94MCiqjeb7Xjnhv4BlVEimltt Urwk7+f4HvNFBgJoKbv4/VEBb3HQfSiSy7g08r7Bp9+Eca7ZrRNXY6cox6S6Jo+EYw 6+NizbinCOjCHd3n7N327h+QPufD8LfKB90t4K1s=
Message-ID: <56138BDB.60709@nlnetlabs.nl>
Date: Tue, 06 Oct 2015 10:52:43 +0200
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20150928114202.823.19868.idtracker@ietfa.amsl.com> <20150928155325.GA63874@gaon.net> <20150929095301.32c3e6a3@casual> <13F1D87F-1C07-40EB-86B0-564C4109C9B0@virtualized.org> <1973252D-924F-4EF1-A38F-5EC01AD331F6@gmail.com> <FDD04DCC-59C5-41F5-8CAF-1EF31CD65A34@virtualized.org> <63E1E01E-C172-4A0F-B434-F796546BB657@gmail.com> <C4FA9FA6-76E3-4FF3-862B-C5C0DF75C761@kirei.se> <D1C15986-603E-4932-B551-0497638D9849@vpnc.org> <02869F43-87A4-4797-8FD3-276C02DF665D@kirei.se> <EEA946B1-8BF3-4AB7-99D2-4C8CDCCF0EC0@vpnc.org> <F412CE02-C0BA-425E-BBF9-3A40B2B5FEA7@vpnc.org> <9F52E6FC-E503-4E3A-9998-363BF514CC1A@hopcount.ca> <D2C7120E-D13A-4372-8A8D-FE16DDDB5AEA@vpnc.org> <6CE2A233-0CD3-4490-BDDE-A0E82B305F05@hopcount.ca> <97AFB21E-9233-4753-8F89-A6AC6C6B079B@vpnc.org> <A1B41B27-AFB0-4B42-9F46-AA1D8D5D00F6@hopcount.ca> <D3A29F92-2A24-4CEC-93CF-164BD2497C1E@vpnc.org> <BFB819A9-9C50-4049-A5F0-5054CD86EC94@hopcount.ca> <70FA923D-C067-492E-A1EA-7B88754C2D5B@gmail.com>
In-Reply-To: <70FA923D-C067-492E-A1EA-7B88754C2D5B@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/UPqQFpt3A-E6vNao31Xm2hO8P5Y>
Subject: Re: [DNSOP] Expiration impending: <draft-jabley-dnssec-trust-anchor-11.txt>
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2015 08:52:50 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

On 05/10/15 23:42, Suzanne Woolf wrote:
> All,
> 
> First, thanks to the engaging on this.
> 
> On Oct 5, 2015, at 5:20 PM, "Joe Abley" <jabley@hopcount.ca>
> wrote:
>> 
>> Perhaps it's time to sit back and wait for others here to
>> express an opinion.
> 
> I'd like to hear opinions from others in the WG with an
> operational interest in the DNSSEC root trust anchor.

It documents a procedure we implemented, and a stable reference would
be a good thing.

> Does this document meet a need you have? If so, how well does it
> meet the need, and what would it take (if anything) for the
> document to meet that need more effectively?

Unbound implements the draft in open source, in its own command-line
tool 'unbound-anchor'.  It combines a compiled-in root-anchor, with
RFC5011 rollover and this draft.  At the first start it has failover
over from the initial anchor to the next option, and this draft is the
fallback.  On subsequent invocations it keeps state, a rolling anchor
that it keeps track of.  If RFC5011 tracking fails, it uses this draft
to fetch the xml file with the new key.  The tool is
organisation-agnostic and can also be configured to perform the same
mechanics in another environment (eg. test environments).

Best regards, Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWE4vbAAoJEJ9vHC1+BF+NxPMQAIAmFaUaF6ZKQvzMLZ+yAuDm
66MaTO2i68q6LH3ZHCEl6dXMz3sGL+8RaKCN1IK6EyvXUIoCaulkJdbem4MeFsGk
/w1Bxxfybgao5+pBPd3Ciz6caYfMHrfkqFL7broBsCLNBlfwVUEUPBJpfYQbF8i+
TQaqyGm/oH2VPtFq03HL/o/CJUgbZNQWT1CKdzEEuoyrmyotzXQkfsnXrW79t/hW
tt8Aeq5VSHpBbkSlrq8EYDunhjwQKgJwhx/YUVpqF/JrjO7KDqzO7QabYY4i1h95
LTdcZmrWUfKSPnzN0lD3MSmSvJMMgz18VBXQLO2cHj0QDaDFd9pe0mud0em9gIPz
hLhyWvbxeNasT8CbH5vwJ77p/6xmhMsYT4C2EHtJacPmG9Y4BfUDyo1d0hec0eF5
uLmpbp+TCicd3dHNNcIPWjDcxyCT7lTNOLPS78fSOhdju2khijn9b7RPnTqjtmUV
Wf8IIYnN0fIapymNsiNXqarV3uC8ly7XhnqK+XQ6z7KgArh/OkrFcGiJAcHn1wlr
mSkSKeeGpF8snSlbnMX9+Y9TvBCFrNOP+awzDvKqBnV3yS5Cu2bPottH9Yp/xs96
E36eMwX35WUuh7uOCKR4IswpjChds0jSW75oJ6GYb9ItLfy6ehuGbyUFD2AW130y
SrOmADZfr8SG6aGxUokH
=4snr
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email