[134200] in North American Network Operators' Group
Re: .gov DNSSEC operational message
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Tue Dec 28 23:27:49 2010
Date: Wed, 29 Dec 2010 04:25:27 +0000
From: bmanning@vacation.karoshi.com
To: Kevin Oberman <oberman@es.net>
In-Reply-To: <20101229040722.76F271CC26@ptavv.es.net>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Dec 28, 2010 at 08:07:22PM -0800, Kevin Oberman wrote:
>
> Yes, having a verifiable source of keys OOB might have a small bit of
> value, but, assuming we get general adoption of RFC 5011, I think it's
> pretty limited value. Of course, this begs the question, how do we do a
> better job of verifying the keys received out of band than the root zone
> does of verifying the keys? Sort of a chicken and egg problem.
> --
> R. Kevin Oberman, Network Engineer
presumes RFC 5011 is viable. fall outside the 30day window and
your screwed. :) that said, what folks came up w/ for the root
key roll might be a useful template, e.g. the use of TCR's and
use an M/N assurance check - in those rare cases where your just
foobarr'ed and you can't take your servers into the SCIF to rekey.
and/or an alternative to the strict timing constraints in RFC 5011
with a protocol that gives more leyway for a node being offline
over a keyroll interval.
There -should- be a functional equivalent of OTAR for DNSSEC keys
that is not constrained to a tight window... IMHO of course.
--bill
