I have some high level questions about key rollover. The problem with RFC 5011 is that software has to have some out-of-band way to bootstrap its DNSSEC trust anchors. That is, the DNSSEC root KSK is not a trust anchor, for the purposes of bootstrapping.
At the moment the trust anchors are the ICANN x.509 self-signed certificate and/or the PGP keyring. What are the processes for rolling over these keys? How should manufacturers of software or hardware with a long shelf-life use them to bootstrap DNSSEC? I think it was a mistake to drop the trust anchor history draft, because it has a reaasonably coherent answer to the problem. I think the arguments that it is not secure enough are misguided. What we want is a way for software to bootstrap its DNSSEC trust anchor that is better than a leap of faith. This can perhaps be backed up with x.509 validation of the trust anchor once DNS is up and the higher levels of the stack are able to look up host names. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
