To:
"Scott Rose" <scottr@antd.nist.gov>, "Olaf M. Kolkman" <olaf@ripe.net>, "Bill Manning" <bmanning@isi.edu>
Cc:
<dnssec@cafax.se>
From:
Ólafur Guðmundsson <ogud@ogud.com>
Date:
Thu, 10 Oct 2002 13:31:54 -0400
In-Reply-To:
<007b01c2707d$2c4f1b80$b9370681@antd.nist.gov>
Sender:
owner-dnssec@cafax.se
Subject:
Re: root zone signing and key lengths/lifetimes
At 12:50 2002-10-10, Scott Rose wrote:
>Okay. Seeing that there is no revocation list in DNS, I can understand the
>desire for frequent zone key rollover. Key signing keys (at the root) are
>going to need a special process to distribute, so regular rollover/emergancy
>rollover kind of means the same thing. That is, there is no parent to
>interact with, but static resolvers.
>
>Mainly I was wondering why the draft set up frequency of key rollovers. Not
>that it's a huge technical problem. Although the human nature side of me is
>reminded that the more frequent the operation, the more frequent human error
>creeps in.
Two main reasons,
1. To prevent anyone from making the keys in the experiment anything but
experimental keys. We do not want <vendor>X to ship resolvers with
any of these keys in there.
2. Force people to think about if we can do a rollover of the root key,
and how.
Olafur