[ksk-rollover] Future rollover planning opportunities
Peter van Dijk
peter.van.dijk at powerdns.com
Wed Feb 20 20:06:06 UTC 2019
On 20 Feb 2019, at 13:29, Tony Finch wrote:
> However there has to be a bootstrap mechanism, and the only one
> available
> is for the validator vendor to provide an initial key set.
If it can provide an initial key set, it can also provide a current key
set. See below :)
> I agree that rollovers need to be routine (I think annual makes sense)
> but
> they have to be planned with software releases in mind.
I strongly disagree. Users have a trust relationship that everything is
built on already - that with their software vendors. For most people,
that is ‘Debian’ or ‘CentOS’ or perhaps ‘Microsoft’. Debian
already ships a dns-root-data package that contains the current root
trust anchors. This package is updated outside of any release schedules
imposed by ISC, PowerDNS, NLnetlabs, etc.
I understand that the RedHat/CentOS/Fedora side of things also has plans
for this, or maybe has done this meanwhile.
Please build on that relationship. It’s all we need.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the ksk-rollover
mailing list