Rzksk-trust-dev Info Page

Rzksk-trust-dev --

About Rzksk-trust-dev
English (USA)

The goal of the list is to discuss how DNSSEC validation software manages the set of root zone DNSSEC trust anchors. This includes initial learning of the set, maintenance of changes to the set, assisting management of the set, and defending the set from unapproved modifications to the set. The methods discussed need not be specific to the root zone but that is the intended context.

This is an expansion of "Automated Updates of DNSSEC Trust Anchors" (RFC 5011). That mechanism is an in-band means for self-updating by validation software. It lacks a necessary management feature, namely for the initiator to confirm updates have been made. It also is not appropriate in many environments, such as those where configuration management is a centralized activity or where network connectivity is disrupted.

Aspects to be considered include:

1) Management of keys that trust anchors but are not included in the DNSKEY RRset (due to size constraints). That is, a public key that is intended to be useful as a trust anchor but it not actively in the DNS, in other words a reserve key.

2) The treatment of trust anchors in the "Missing" state of RFC 5011.

3) Making use of multiple and possibly differing sets of trust anchors, such as what might be in the DNSKEY RRset versus a web-based published set of keys.

4) Supplemental tools for operators to self-inspection of their running processes.

5) Means to remotely determine trust anchors in a process - building in some sort of authorized disclosure.

This is meant to seed thoughts, not act as a formal charter for the discussion.

By submitting my personal data, I agree that my personal data will be processed in accordance with the ICANN Privacy Policy and agree to abide by the website Terms of Service.

To see the collection of prior postings to the list, visit the Rzksk-trust-dev Archives. (The current archive is only available to the list members.)

Using Rzksk-trust-dev

To post a message to all the list members, send email to rzksk-trust-dev@icann.org.
You can subscribe to the list, or change your existing subscription, in the sections below.

Subscribing to Rzksk-trust-dev

Subscribing by web form is temporarily disabled but you may still subscribe via email.

How to Subscribe by Email:

Send an email to Rzksk-trust-dev-join@icann.org.

You will receive an automated response with instructions to confirm your subscription request and complete the process.

If you encounter any problems, contact the administrator named at the bottom of the list subscription page.

Thank you for your patience while we work to provide the community with an improved email subscription service.
Additional information on this temporary change is available on our web site:
https://www.icann.org/en/blogs/details/temporary-changes-to-icanns-email-list-subscription-service-12-10-2022-en

Rzksk-trust-dev Subscribers

(The subscribers list is only available to the list administrator.)
Enter your admin address and password to visit the subscribers list:
Admin address: Password:

To unsubscribe from Rzksk-trust-dev, get a password reminder, or change your subscription options enter your subscription email address:
If you leave the field blank, you will be prompted for your email address

Rzksk-trust-dev list run by edward.lewis at icann.org, paul.hoffman at icann.org
Rzksk-trust-dev administrative interface (requires authorization)
Overview of all icann.org mailing lists

Delivered by Mailman
version 2.1.15 Python Powered GNU's Not Unix

Rzksk-trust-dev --

About Rzksk-trust-dev	English (USA)
The goal of the list is to discuss how DNSSEC validation software manages the set of root zone DNSSEC trust anchors. This includes initial learning of the set, maintenance of changes to the set, assisting management of the set, and defending the set from unapproved modifications to the set. The methods discussed need not be specific to the root zone but that is the intended context. This is an expansion of "Automated Updates of DNSSEC Trust Anchors" (RFC 5011). That mechanism is an in-band means for self-updating by validation software. It lacks a necessary management feature, namely for the initiator to confirm updates have been made. It also is not appropriate in many environments, such as those where configuration management is a centralized activity or where network connectivity is disrupted. Aspects to be considered include: 1) Management of keys that trust anchors but are not included in the DNSKEY RRset (due to size constraints). That is, a public key that is intended to be useful as a trust anchor but it not actively in the DNS, in other words a reserve key. 2) The treatment of trust anchors in the "Missing" state of RFC 5011. 3) Making use of multiple and possibly differing sets of trust anchors, such as what might be in the DNSKEY RRset versus a web-based published set of keys. 4) Supplemental tools for operators to self-inspection of their running processes. 5) Means to remotely determine trust anchors in a process - building in some sort of authorized disclosure. This is meant to seed thoughts, not act as a formal charter for the discussion. By submitting my personal data, I agree that my personal data will be processed in accordance with the ICANN Privacy Policy and agree to abide by the website Terms of Service. To see the collection of prior postings to the list, visit the Rzksk-trust-dev Archives. (The current archive is only available to the list members.)
Using Rzksk-trust-dev
To post a message to all the list members, send email to rzksk-trust-dev@icann.org. You can subscribe to the list, or change your existing subscription, in the sections below.
Subscribing to Rzksk-trust-dev
Subscribing by web form is temporarily disabled but you may still subscribe via email. How to Subscribe by Email: Send an email to Rzksk-trust-dev-join@icann.org. You will receive an automated response with instructions to confirm your subscription request and complete the process. If you encounter any problems, contact the administrator named at the bottom of the list subscription page. Thank you for your patience while we work to provide the community with an improved email subscription service. Additional information on this temporary change is available on our web site: https://www.icann.org/en/blogs/details/temporary-changes-to-icanns-email-list-subscription-service-12-10-2022-en
Rzksk-trust-dev Subscribers
(The subscribers list is only available to the list administrator.) Enter your admin address and password to visit the subscribers list: Admin address: Password: To unsubscribe from Rzksk-trust-dev, get a password reminder, or change your subscription options enter your subscription email address: If you leave the field blank, you will be prompted for your email address