To:
Mark.Andrews@isc.org
Cc:
randy@psg.com, olaf@ripe.net, bmanning@isi.edu, scottr@antd.nist.gov, dnssec@cafax.se
From:
Bill Manning <bmanning@isi.edu>
Date:
Mon, 21 Oct 2002 09:13:20 -0700 (PDT)
In-Reply-To:
<200210110150.g9B1o7o1038969@drugs.dv.isc.org> from "Mark.Andrews@isc.org" at "Oct 11, 2 11:50:07 am"
Sender:
owner-dnssec@cafax.se
Subject:
Re: root zone signing and key lengths/lifetimes
% > i do not understand how new root keys will get to *all* the dnssec-aware % > resolvers. % > % > randy % % The best way will be for them to periodially request the keys for % "." validate the response. If it passes then you use this new % key set to replace your current set of keys. You then only have % to bootstrap the process once. For that you publish the root % keys daily in major newspapers around the world. Ask a friend % that you trust for the current keys. Ask the roots for the % keys that you get and "trust" that the answer has not been % spoofed. % % Mark sorry to interject into your conversation w/ Mr. Bush... but its not clear that that path has a clear method to re-establish trust. interesting mechanism though. --bill