To:
Randy Bush <randy@psg.com>
Cc:
"Olaf M. Kolkman" <olaf@ripe.net>, Bill Manning <bmanning@isi.edu>, scottr@antd.nist.gov, dnssec@cafax.se
From:
Mark.Andrews@isc.org
Date:
Fri, 11 Oct 2002 11:50:07 +1000
In-reply-to:
Your message of "Fri, 11 Oct 2002 09:19:00 +0900." <E17znW8-000Gao-00@roam.psg.com>
Sender:
owner-dnssec@cafax.se
Subject:
Re: root zone signing and key lengths/lifetimes
> i do not understand how new root keys will get to *all* the dnssec-aware > resolvers. > > randy > The best way will be for them to periodially request the keys for "." validate the response. If it passes then you use this new key set to replace your current set of keys. You then only have to bootstrap the process once. For that you publish the root keys daily in major newspapers around the world. Ask a friend that you trust for the current keys. Ask the roots for the keys that you get and "trust" that the answer has not been spoofed. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org