[dns-wg] DNSSEC Policy Development Process
Jim Reid jim at rfc1035.com
Tue Aug 30 19:49:45 CEST 2005
On Aug 30, 2005, at 17:09, Randy Bush wrote: >> I agree that if we do not get to a point where validators only have >> to configure between one and a handful of trust-anchors and those >> trust-anchors get automatically rolled DNSSEC will not reach the >> masses. >> >> On the other hand we have to start deploying somewhere. > > while i do have sympathy for this, when i consider, or try to > consider, what the trust model and reliability of low-level roll-out > of a hundred or a thousand scattered zones, the mind boggles. as > trust keys require manual maintenance, there will be seemingly random > failures, real fun debugging, ... and the trust won't distribute, > it's SxC. This is why I suggested starting with trying to get .arpa signed. Since it's controlled by the IAB, the zone should be free from the level-9 (and up) issues that infest the root. That would/should mean a single trust anchor for those who wanted to take part in the first faltering steps towards DNSSEC deployment. In the context of what the NCC is proposing, that would mean .arpa signing the KSKs for the stuff delegated by IANA to the NCC. This has to be better than having a bunch of trust anchors for each apex under ip6.arpa and in- addr.arpa -- let's not forget e164.arpa too -- that's managed by the NCC. We appear to agree that path is less than desirable.
[ dns-wg Archives ]