[ksk-rollover] IoT devices and KSK rollover

Paul Wouters paul at nohats.ca
Mon Jul 1 17:47:38 UTC 2019

On Mon, 1 Jul 2019, Michael Casadevall wrote:

> As for DoT/DoH, none of the above changes as there are no wire protocol
> changes to DNS in either of these use cases, and the cost of
> implementation is stupidly high. First off, it's impossible to deploy
> DoT/DoH in an internal network that uses RFC1918 address space (aka
>,, as CA/B forum CAs can't issue
> certificates for this address space;

what prevents you from requesting a certificate on an internet connect
IP using ACME, and then moving or also using it on the internal IP
pointed to by internal only split DNS ?

> Device manufactors also need to update their devices to update
> their root store from time to time.

I guess it really depends on your definition of IoT.

> It should also be noted that the current Mozilla NSS root store is
> approximately 250 KiB in size uncompressed.

Why would an IoT device need the whole firefox or other vendor root CA
store? Again, it really depends on what you call an IoT device.

> There are major issues with DoH/DoT in general, but a lot of devices in
> general are going to simply incapable of supporting it because the cost
> of full TLS support + full set of CA root certificates is simply too
> high in terms of flash storage.

Maybe IoT devices shouldn't need to talk to the internet at large? And
their trust model can be minimzed to the little things it needs?


More information about the ksk-rollover mailing list