To:
Randy Bush <randy@psg.com>
Cc:
dnssec@cafax.se
From:
Edward Lewis <edlewis@arin.net>
Date:
Mon, 21 Oct 2002 16:11:40 -0400
In-Reply-To:
<E17znW8-000Gao-00@roam.psg.com>
Sender:
owner-dnssec@cafax.se
Subject:
rollover at root, was Re: root zone signing...
At 9:19 +0900 10/11/02, Randy Bush wrote: >i do not understand how new root keys will get to *all* the dnssec-aware >resolvers. This is a simple problem to solve. Once the new key set is in use by the root, all resolvers throughout the Internet just query for the root keys and they have them. The new keys are then magically placed into the configuration information, overwriting the old keys. Not secure enough? The root-signing body gets the keys printed in various periodicals and perhaps in other media forms. If the key's too complex to read aloud, we can make words for parts of it (just like the mnemonic versions of PGP fingerprints or whatever that was called). With this it is trivial to verify that the trusted keys are the ones to use. All very simple, and amply secure. The hard part is making sure that resolver managers take the steps to verify the changed keys (assuming the change happens automatically). You can not automate that step. Making operators take this step is not going to be easy. Every thing else in DNSSEC can be, but not this. I'm concerned about how we get operators (or recursive servers) to maintain trust in the "trusted keys." -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer