On 3 Oct 2010, at 08:27, Jakob Schlyter <ja...@kirei.se> wrote:
> On 1 okt 2010, at 20.59, Tony Finch wrote:
>>
>> Right, so it's aimed at human consumption rather than automatic tools?
>
> Given the historical information (together with old DNSKEY), you could build
> a trust anchor history zone.
Not really, since you need the private key of the old TA to sign the public key
of the new one to get a cryptographic proof of the history. Without that it is
just a third party attestation, which is rather weaker.
You can get a proof of the history by archiving the root DNSKEY and associated
RRSIG RRsets, but that includes a lot of irrelevant noise from ZSK rollovers
and signature refreshes.
>
>> How much do you intend automated tools to use the trust anchor publication
>> web site? And which of the files that are published there?
>
> I know of at least one vendor that has started to implement support to base
> trust anchor fallback on the information in the TA repository. As soon as
> their code and ideas are mature enough, I hope they'll share their thoughts.
Sounds good.
I should have asked more clearly whether you expect end-user devices to use the
IANA publication site directly or whether vendors should re-publish it for
their purposes.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
