[DNSOP] Trust History draft
"W.C.A. Wijngaards" <wouter@NLnetLabs.nl> Tue, 30 June 2009 11:45 UTC
Return-Path: <wouter@nlnetlabs.nl>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 244753A6A35 for <dnsop@core3.amsl.com>; Tue, 30 Jun 2009 04:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tJDDO82v5CII for <dnsop@core3.amsl.com>; Tue, 30 Jun 2009 04:45:04 -0700 (PDT)
Received: from open.nlnetlabs.nl (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]) by core3.amsl.com (Postfix) with ESMTP id 12FD03A6936 for <dnsop@ietf.org>; Tue, 30 Jun 2009 04:45:03 -0700 (PDT)
Received: from gary.nlnetlabs.nl (gary.nlnetlabs.nl [IPv6:2001:7b8:206:1:216:76ff:feb8:1853]) (authenticated bits=0) by open.nlnetlabs.nl (8.14.3/8.14.3) with ESMTP id n5UBjHUI050236 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <dnsop@ietf.org>; Tue, 30 Jun 2009 13:45:17 +0200 (CEST) (envelope-from wouter@nlnetlabs.nl)
Message-ID: <4A49FACD.8020400@nlnetlabs.nl>
Date: Tue, 30 Jun 2009 13:45:17 +0200
From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2
MIME-Version: 1.0
To: dnsop <dnsop@ietf.org>
X-Enigmail-Version: 0.96a
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.2 (open.nlnetlabs.nl [IPv6:2001:7b8:206:1::1]); Tue, 30 Jun 2009 13:45:17 +0200 (CEST)
Subject: [DNSOP] Trust History draft
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2009 11:45:05 -0000
Hi, Just new in the dnsop wg tools page: http://tools.ietf.org/html/draft-wijngaards-dnsop-trust-history-00 This is the same version as draft-wijngaards-dnsext-trust-history-03, but moved to the DNSOP wg. I would like to request adoption of the document. Why? I want to enable end users to use validators. They use computers that sometimes skip a month (holiday), or install software that is a couple years old. RFC5011 cannot keep up in that case, and this trust- history can then be used to get the latest trust anchor. This latest version has a number of features that I'll present in a point list: * Can detect trust point deletion, where the zone owner wants to un-sign the zone. * Honors RFC5011 hold-down-timer. Thus it cannot be used to work around the 5011 timers. * Track SEP keys. Access to the KSK is necessary to change the keyset for the zone. * Uses a clean new RR type, for dnsext expert review, to help store the information in the DNS. So, this way, software can include a DNSSEC trust anchor, which can be used years later to fetch the latest trust anchor, while the DNS zone uses regular rollovers. After fetching the latest, software can then use 5011 to track the anchor. If the 5011 updates fail because the machine was offline or the software is reinstalled, the history can be used again, and then 5011 works again. Best regards, Wouter
- [DNSOP] Trust History draft W.C.A. Wijngaards
- Re: [DNSOP] Trust History draft Florian Weimer
- Re: [DNSOP] Trust History draft W.C.A. Wijngaards