Home page logo
/

nanog logo nanog mailing list archives

Re: public consultation on root zone KSK rollover
From: David Conrad <drc () virtualized org>
Date: Sat, 6 Apr 2013 00:53:09 +0800

Brandon,

On Apr 4, 2013, at 5:35 PM, Brandon Butterworth <brandon () rd bbc co uk> wrote:
You do realize this requires changing validating resolver
configuration data, right?

Yes. How hard can it be (answer not required).

While it's quaint that the elders of the internet meet and bless each
new key I don't think this scales.

The point of the wildly over-engineered root key signing ceremony is to build trust by publicly demonstrating at every 
step there is no opportunity for intentional or accidental badness to occur without being noticed.  Compare this to the 
processes used by commercial X.509CAs when they roll their root keys (you might also want to look at how often they 
roll their keys).

I know it's not easy but it needs to be simple and automatic for wide deployment.

Even with RFC 5011 support in every validating resolver on the planet (not holding my breath), this requires all of 
those validating resolvers to accept a directive from the "outside" which instructs software to write something to 
permanent storage.  I can easily imagine some folks being a bit nervous about this. Particularly given it would seem 
some CPE developers can't figure out how to write DNS resolvers that can be configured to not respond to arbitrary 
external queries.

Frequency of root key rolling is actually a fairly complicated risk/benefit tradeoff. Frequently rolling means its more 
likely that the roll will be successful globally. However, it also increases the risk of (a) breaking DNS resolution 
for some percentage of the Internet and (b) catastrophically failing such that RFC 5011-style rollover will no longer 
work necessitating a manual reconfiguration of every validating resolver on the Internet. "Choose wisely".

In any event, if you haven't already I would encourage you to provide comments at the URL Joe referenced.

Regards,
-drc



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]