[162197] in North American Network Operators' Group
Re: public consultation on root zone KSK rollover
daemon@ATHENA.MIT.EDU (David Conrad)
Fri Apr 5 12:53:32 2013
From: David Conrad <drc@virtualized.org>
In-Reply-To: <201304040935.KAA15823@sunf10.rd.bbc.co.uk>
Date: Sat, 6 Apr 2013 00:53:09 +0800
To: Brandon Butterworth <brandon@rd.bbc.co.uk>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Brandon,
On Apr 4, 2013, at 5:35 PM, Brandon Butterworth <brandon@rd.bbc.co.uk> =
wrote:
>> You do realize this requires changing validating resolver
>> configuration data, right?
>=20
> Yes. How hard can it be (answer not required).
>=20
> While it's quaint that the elders of the internet meet and bless each
> new key I don't think this scales.
The point of the wildly over-engineered root key signing ceremony is to =
build trust by publicly demonstrating at every step there is no =
opportunity for intentional or accidental badness to occur without being =
noticed. Compare this to the processes used by commercial X.509CAs when =
they roll their root keys (you might also want to look at how often they =
roll their keys).
> I know it's not easy but it needs to be simple and automatic for wide =
deployment.
Even with RFC 5011 support in every validating resolver on the planet =
(not holding my breath), this requires all of those validating resolvers =
to accept a directive from the "outside" which instructs software to =
write something to permanent storage. I can easily imagine some folks =
being a bit nervous about this. Particularly given it would seem some =
CPE developers can't figure out how to write DNS resolvers that can be =
configured to not respond to arbitrary external queries.
Frequency of root key rolling is actually a fairly complicated =
risk/benefit tradeoff. Frequently rolling means its more likely that the =
roll will be successful globally. However, it also increases the risk of =
(a) breaking DNS resolution for some percentage of the Internet and (b) =
catastrophically failing such that RFC 5011-style rollover will no =
longer work necessitating a manual reconfiguration of every validating =
resolver on the Internet. "Choose wisely".
In any event, if you haven't already I would encourage you to provide =
comments at the URL Joe referenced.
Regards,
-drc
