To:
Bill Manning <bmanning@isi.edu>
Cc:
randy@psg.com, olaf@ripe.net, scottr@antd.nist.gov, dnssec@cafax.se
From:
Mark.Andrews@isc.org
Date:
Tue, 22 Oct 2002 12:41:59 +1000
In-reply-to:
Your message of "Mon, 21 Oct 2002 09:13:20 MST." <200210211613.g9LGDLV27499@boreas.isi.edu>
Sender:
owner-dnssec@cafax.se
Subject:
Re: root zone signing and key lengths/lifetimes
> % > i do not understand how new root keys will get to *all* the dnssec-aware > % > resolvers. > % > > % > randy > % > % The best way will be for them to periodially request the keys for > % "." validate the response. If it passes then you use this new > % key set to replace your current set of keys. You then only have > % to bootstrap the process once. For that you publish the root > % keys daily in major newspapers around the world. Ask a friend > % that you trust for the current keys. Ask the roots for the > % keys that you get and "trust" that the answer has not been > % spoofed. > % > % Mark > > sorry to interject into your conversation w/ Mr. Bush... but its > not clear that that path has a clear method to re-establish trust. > interesting mechanism though. > > --bill No method can automatically re-establish trust once the trust chain has been broken. Establishment of trust is a manual process as, unfortunately, is revocation of trust in the root key if it is compromised. You can however automatically maintain a trust chain once it is established. You can also automatically detect when that trust chain is broken. We have self-signed root keys. We just need to ensure that they are re-signed or new keys are generated and signed well before the existing signatures expire. This doesn't even require direct access to the root servers. Access to a caching server with access to the root servers will do. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org