[ksk-rollover] thoughts to the list as requested
Matthew Pounsett
matt at conundrum.com
Tue Apr 2 16:53:59 UTC 2019
On Tue, 2 Apr 2019 at 12:40, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 2 Apr 2019, Matthew Pounsett wrote:
>
> > On the subject of "nobody should bake a particular key into
> software...", John Dickinson and I were entertaining the notion
> > last week of writing up advice to the effect that implementers should
> deprecate the notion of non-5011 trust anchors;
>
> Today this is simply impossible. All machines installed fresh within the
> last 29 days of a KSK roll would die.
>
I believe that is just another case of a no-op. That would be solved in
the same way that static keys deployed in that time are solved today, which
is to say it's implementation (or distribution) specific.
> > I'm persuaded by the use case Paul Ebersman brought up, that some
> networks may prefer to control when and how trust anchor
> > updates happen on their network, and so maybe this advice should be a
> statement about defaults, rather than advice to never have
> > static keys.
>
> We've had this discussion a number of times over the years. You won't
> get a different outcome now. 5011 is fundamentally broken and needs
> another mechanism to support it or a mechanism to replace it.
>
Broken, or just doesn't cover all use-cases? I don't think you'd find any
disagreement that it doesn't cover all use cases. But, that's one of those
discussions we still need to have about having multiple ways to distribute
keys. I don't think this is an argument against treating all trust anchors
as potential 5011 targets.
>
> Also, vendors already have static keys or OS updates. We update the system
> store for CA certificates and DNSSEC root keys with that. We don't see
> this as a big problem (granted, we don't look beyond EOL which you might
> want to)
>
Again, I don't think this is an argument against treating all trust anchors
as being potentially 5011-managed. Just because a trust anchor in DNS
software is configured to be updated by 5011, nothing stops you from
manually replacing it. In fact, your comment about EOL is, I think,
another argument in favour of this.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190402/3a1937e4/attachment.html>
More information about the ksk-rollover
mailing list