On Wed, Nov 30, 2016 at 10:43 AM, Matt Larson <m...@kahlerlarson.org> wrote:
> > > On Nov 29, 2016, at 8:31 AM, Olafur Gudmundsson <o...@ogud.com> wrote: > > > > IMHO the device should have two sources of truth for DNSSEC root TA > > a) DNS via RFC5011 > > b) Secure Software update from the vendor > > > > If both fail then operator should be invoked. > > Did you see my message earlier in the thread? Is there a reason you don't > include a third option: retrieving the trust anchor file published by > IANA/PTI (https://data.iana.org/root-anchors/root-anchors.xml) and > validating with the detached S/MIME signature published in the same place ( > https://data.iana.org/root-anchors/root-anchors.p7s)? That signature > chains to the ICANN CA cert, which currently expires in 2029. Sure, it's > more code, but it can all be done with OpenSSL, for example. > > Matt > > I saw your message, the issue is it is not at this point well documented how a Vendor can integrate this into their setup scripts. What is needed is Documentation as how to fetch this, and preferably a Open Source tool demonstrating the process and verification. The fundamental question is "what validates the root-anchors.xml file and how can I trust that in 10 years?" Olafur
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
