[DNSOP] zone signing with or without parental buy-in

Jim Reid <jim@rfc1035.com> Sun, 07 March 2010 13:43 UTC

Return-Path: <jim@rfc1035.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 62E743A8A05 for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 05:43:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.706
X-Spam-Status: No, score=-1.706 tagged_above=-999 required=5 tests=[AWL=0.763, BAYES_00=-2.599, SARE_RMML_Stock10=0.13]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id yfZSq1cvYJBn for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 05:43:35 -0800 (PST)
Received: from hutch.rfc1035.com (router.rfc1035.com []) by core3.amsl.com (Postfix) with ESMTP id 0B7CD3A877E for <dnsop@ietf.org>; Sun, 7 Mar 2010 05:43:35 -0800 (PST)
Received: from gromit.rfc1035.com (gromit.rfc1035.com []) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jim) by hutch.rfc1035.com (Postfix) with ESMTPSA id 35DCA154208B; Sun, 7 Mar 2010 13:43:37 +0000 (GMT)
Message-Id: <DE8A495E-9C07-4EBB-A0F7-F2BCE5224264@rfc1035.com>
From: Jim Reid <jim@rfc1035.com>
To: bmanning@vacation.karoshi.com
In-Reply-To: <20100307123712.GA9325@vacation.karoshi.com.>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Sun, 07 Mar 2010 13:43:36 +0000
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com> <20100307123712.GA9325@vacation.karoshi.com.>
X-Mailer: Apple Mail (2.936)
Cc: IETF DNSOP WG <dnsop@ietf.org>
Subject: [DNSOP] zone signing with or without parental buy-in
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 13:43:36 -0000

On 7 Mar 2010, at 12:37, bmanning@vacation.karoshi.com wrote:

> ah come on Jim... folsk should sign their zones as soon
> as they see fit, regardless of parental buy in.

Bill, IMO there's not much point in signing root-servers.net until its  
parents are signed. [And as I explained earlier, signing that zone is  
highly unlikely to make any difference to the threat of spoofed  
responses to priming queries.] While folk should sign zones as they  
see fit, lack of parental buy-in is a major reason why they don't sign  
their zones. The horrors of alternate Trust Anchors should make  
everyyone think very long and hard about when to deploy DNSSEC.

This is maybe just about tolerable for a handful of TLDs. However I  
hope all this will melt away once we reached the promised land of a  
signed root this summer.

That said, I'd encourage people to put zone signing into pre- 
production so they can figure out how to update procedures and  
documentation, train ops/support staff and also get experience with  
signing tools, key rollovers and so forth. They'll then be ready to  
flick the switch come the glorious day when their parent(s) are  
signing delegations.