[ksk-rollover] IoT devices and KSK rollover

Michael Richardson mcr at sandelman.ca
Thu Jun 13 01:07:45 UTC 2019

Fred Baker <fredbaker.ietf at gmail.com> wrote:
    > I tend to think that if someone wants to implement DOH, that's fine,
    > but corporate IT needs to ability to impose its own policy there. It
    > needs to be possible to force the use of the DNS protocol rather than
    > HTTPS, to specify the address and key of a chosen DOH server, etc.

tries to do that for almost all the reasons you mention.  Please help.
(Tiru and Dan are the brains here; I'm just the peanut gallery)

A situation with DoH is that you need a secure path to the DoH
anchors.  While CAB limits you to 2yr end certificates, Commerial root CAs
seem to all have 20yr lifetimes, and this seems pretty good.  But, the device
has to do certificate path validation.  Do you need to have them all though?
Is this a feature or a bug, I haven't decided yet.

But, if you already have TLS code in the device, then maybe it's cheaper
to do this instead of DNSSEC.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190612/61a44519/signature.asc>

More information about the ksk-rollover mailing list