[ksk-rollover] alternatives to 5110 for automating roll-over

Michael Richardson mcr at sandelman.ca
Fri Apr 5 18:49:17 UTC 2019

Matthew Pounsett <matt at conundrum.com> wrote:
    >> Matthew Pounsett <matt at conundrum.com> wrote: > Someone suggested
    >> keeping a set of DNSKEYs with a chain of RRSIGs in an > alternate
    >> zone, but that isn't scalable to multiple trust anchors unless >
    >> you've also got some way to signal the name of the alternate zone at
    >> the > apex. And then we're talking about adding a delegation to the
    >> root zone that > is not a TLD registry, which has its own set of
    >> complexities.
    >> One thought is a set of files, copies of the root zone in AXFR or DNS
    >> presentation format.  If available via TCP at a known IP address(es),
    >> then the client can replay the process and roll itself forward.

    > That's still seems root-zone specific, though.  They're not
    > particularly common, but there are other trust anchors out there.  As
    > was done with 5011, it seems prudent to think about how anything we
    > design could be applied to other zones.

That seems a reasonable goal, but if other trust anchors can be updated
through the normal software update process then they may be less of a
problem.  If you can't resolve the root (and don't want to turn off DNSSEC),
then the rest of the Internet is gone...

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190405/b476d1c1/signature.asc>

More information about the ksk-rollover mailing list