[ksk-rollover] new ksk and DNS software vendors

[manu tman]

Hi all,

During the BoF session this morning, it was asked how long it would take
vendors to incorporate the new KSK in their software.
The few that spoke said it was a relatively short time. This is fine for
people that get the latest versions and install it, but involves more
communication between multiple parties when the goal is to update the keys
and does not involve binary change.

The main issue with going through that route is that the new key is only
useful once it makes it into the distros that ship those softwares which
involves DNS software vendors to work with upstream distros to get it in.

One approach I would suggest is to rather work with DNS vendors to make
sure they can all read the keys from a given format(s) (which I am sure is
already the case) and then work with distros to make sure that all the DNS
software they ship uses the same file.
This file can then be distributed via a `trust-anchor` package à la
`ca-certificates` for RedHat and Debian based distros. There is obviously
an existing process for that, so I am hopeful it could be replicated for
getting trust anchors from IANA. Automation on the distro side to pick up
new trust anchors also seem rather trivial. I would love to hear from
people closer to the distros realm if this is not, but it seems something
that could be quite easily addressed and would be sustainable long term.

The update will apply uniformly to all DNS softwares shipped by the
distros, there is no need to rebuild/recompile anything which involves DNS
softwares, the package is pretty trivial to update and assuming 4 major OSS
DNS softwares, overhead drops by 3/4, or even close to 0 if some form of
automation is put in place.

Manu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ksk-rollover/attachments/20190328/3c854803/attachment-0001.html>