Protocol Action: 'Automated Updates of DNSSEC Trust Anchors' to Proposed Standard
The IESG <iesg-secretary@ietf.org> Thu, 12 July 2007 14:12 UTC
Return-path: <ietf-announce-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I8zOi-00050L-PR; Thu, 12 Jul 2007 10:12:00 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I8zOg-0004rO-Ps for ietf-announce@ietf.org; Thu, 12 Jul 2007 10:11:58 -0400
Received: from ns0.neustar.com ([156.154.16.158]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I8zOg-0003Zt-Ii for ietf-announce@ietf.org; Thu, 12 Jul 2007 10:11:58 -0400
Received: from stiedprstage1.ietf.org (stiedprstage1.va.neustar.com [10.31.47.10]) by ns0.neustar.com (Postfix) with ESMTP id 87E74329DA; Thu, 12 Jul 2007 14:11:28 +0000 (GMT)
Received: from ietf by stiedprstage1.ietf.org with local (Exim 4.43) id 1I8zOC-0005zM-EZ; Thu, 12 Jul 2007 10:11:28 -0400
X-test-idtracker: no
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Message-Id: <E1I8zOC-0005zM-EZ@stiedprstage1.ietf.org>
Date: Thu, 12 Jul 2007 10:11:28 -0400
X-Spam-Score: -2.8 (--)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Cc: dnsext mailing list <namedroppers@ops.ietf.org>, dnsext chair <dnsext-chairs@tools.ietf.org>, Internet Architecture Board <iab@iab.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: Protocol Action: 'Automated Updates of DNSSEC Trust Anchors' to Proposed Standard
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-announce.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
Errors-To: ietf-announce-bounces@ietf.org
The IESG has approved the following document: - 'Automated Updates of DNSSEC Trust Anchors ' <draft-ietf-dnsext-trustupdate-timers-06.txt> as a Proposed Standard This document is the product of the DNS Extensions Working Group. The IESG contact persons are Mark Townsley and Jari Arkko. A URL of this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-dnsext-trustupdate-timers-06.txt Technical Summary The document describes a means for automatically updating public keys that are configured in DNSSEC aware resolvers. New trust-anchors are configured when signatures over them can be validated using the previous trust-anchors. By introducing explicit revocation and a delay mechanism the chances of an attacker introducing a mala fide trust-anchor after a key compromise are mitigated, albeit not solved. Working Group Summary There is a broad consensus that this solution provides a workable key-rollover. The working group is aware of IPR issues. There have been a number of well-documented reviews and comment on this document, please see the PROTO statement for a detailed overview. Protocol Quality There are no implementations yet. The chairs are aware of at least 1 and maybe 2 independent organizations that plan on implementing. At least one implementer has done in-depth review during last call. The chairs are of the opinion that after implementations are written there is probably millage in documenting operational experiences. Note to RFC Editor Please append the following to the Security Considerations section: "Security considerations for trust anchor rollover not specific to this protocol are discussed in [ID.ietf-dnsext-rollover-requirements]" and add this to the informative references: [ID.ietf-dnsext-rollover-requirements] Eland, H., Mundy R., Crocker, S., and S. Krishnaswamy, "Requirements related to DNSSEC Trust Anchor Rollover", draft-ietf-dnsext-rollover-requirements-04 (work in progress), November 2006. _______________________________________________ IETF-Announce mailing list IETF-Announce@ietf.org https://www1.ietf.org/mailman/listinfo/ietf-announce