mailing list archives
Re: public consultation on root zone KSK rollover
From: David Conrad <drc () virtualized org>
Date: Sat, 6 Apr 2013 00:53:09 +0800
On Apr 4, 2013, at 5:35 PM, Brandon Butterworth <brandon () rd bbc co uk> wrote:
You do realize this requires changing validating resolver
configuration data, right?
Yes. How hard can it be (answer not required).
While it's quaint that the elders of the internet meet and bless each
new key I don't think this scales.
The point of the wildly over-engineered root key signing ceremony is to build trust by publicly demonstrating at every
step there is no opportunity for intentional or accidental badness to occur without being noticed. Compare this to the
processes used by commercial X.509CAs when they roll their root keys (you might also want to look at how often they
roll their keys).
I know it's not easy but it needs to be simple and automatic for wide deployment.
Even with RFC 5011 support in every validating resolver on the planet (not holding my breath), this requires all of
those validating resolvers to accept a directive from the "outside" which instructs software to write something to
permanent storage. I can easily imagine some folks being a bit nervous about this. Particularly given it would seem
some CPE developers can't figure out how to write DNS resolvers that can be configured to not respond to arbitrary
Frequency of root key rolling is actually a fairly complicated risk/benefit tradeoff. Frequently rolling means its more
likely that the roll will be successful globally. However, it also increases the risk of (a) breaking DNS resolution
for some percentage of the Internet and (b) catastrophically failing such that RFC 5011-style rollover will no longer
work necessitating a manual reconfiguration of every validating resolver on the Internet. "Choose wisely".
In any event, if you haven't already I would encourage you to provide comments at the URL Joe referenced.