To:
Mark.Andrews@isc.org
cc:
Randy Bush <randy@psg.com>, <scottr@antd.nist.gov>, <dnssec@cafax.se>
From:
Olafur Gudmundsson <ogud@ogud.com>
Date:
Fri, 11 Oct 2002 14:13:28 -0400 (EDT)
In-Reply-To:
<200210110150.g9B1o7o1038969@drugs.dv.isc.org>
Sender:
owner-dnssec@cafax.se
Subject:
Re: root zone signing and key lengths/lifetimes
On Fri, 11 Oct 2002 Mark.Andrews@isc.org wrote:
>
> > i do not understand how new root keys will get to *all* the dnssec-aware
> > resolvers.
> >
> > randy
> >
>
> The best way will be for them to periodically request the keys for
> "." validate the response. If it passes then you use this new
> key set to replace your current set of keys. You then only have
> to bootstrap the process once. For that you publish the root
> keys daily in major newspapers around the world. Ask a friend
> that you trust for the current keys. Ask the roots for the
> keys that you get and "trust" that the answer has not been
> spoofed.
>
There is no one "BEST" way to do this, what has to be investigated
are multiple independent distribution mechanisms that all can
be used. This includes DNS, PGP signed messages, X509 certs,
well known web-sites, advertisements in newspapers, ftp-sites,
cross signing of keysets, and more.
There are two different cases we need to worry about
- computer with human operator
- embedded device,
I know we can solve the first one, the second one is MUCH harder when we
take into account the devices can last 20+ years.
Olafur