On 4 Oct 2010, at 16:34, Joe Abley <jab...@hopcount.ca> wrote: > On 2010-10-04, at 11:18, Tony Finch wrote: > >> It isn't immediately clear to me from the root KSK DPS whether you expect >> RFC 5011 to work in the event of a compromise. >> > > We seem once again to be moving from the subject at hand to a review and > discussion of the KSK DPS. I would prefer to focus on the document at hand, > here.
It is relevant because the trust anchor publication scheme is the only fallback we have when RFC 5011 fails. If we can reduce the number of possible failure scenarios then we don't have to rely so much on higher level systems that are less well documented and not so impressively well secured. I am really concerned that it might become impossible to roll the root TA. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > If you would like more insight into the design decisions that resulted in the > current DPS, I am sure the authors of it would be happy to talk to you about > it. > >> There seems to be a significant difference between 5011 and the root TA >> operational plan. 5011 suggests there should be a backup TA key pair which >> is generated and published well in advance, but not used operationally. It >> just exists to be ready in case of loss or compromise of the operational >> TA. The root TA has no such backup. > > Correct. There is no hot-standby replacement KSK for the root zone. > > > Joe > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
