[dns-wg] Re: Outdated RIPE NCC Trust Anchors in Fedora Linux Repositories

At 15:12 +0100 2/8/10, Peter Koch wrote:

>well, this may not lead anywhere useful.

Regretfully I agree with Peter on this point and in that way.

;)

No matter how long the Secure Entry Points (aka KSK) are in use, 
there will be a on-the-shelf piece of equipment that is turned on 
after the keys are history.

Bill Manning made attempts to characterize that problem years ago - 
the most recent San Diego IETF if I recall correctly.  Every time 
someone has a case that solves for up to N, there's a case for N+1. 
(Months, zones, servers, years, you name it.)

Remember that DNSSEC is there to protect the resolver.  I don't think 
there is any (or going to be any) one way that is manageable, 
scale-able, non-commercial (and/or open-source), quick, cheap, 
in-line, dynamic and convenient for zone operators to use to inform 
all recursive servers that there are new SEPs - whether just for the 
root zone or for all the zones, or even just for the roots of 
DNSSEC-ized subtrees.

Well, no "one way" known in advance of deployment.

Perhaps in two or three years we'll have an answer.  Or in two or 
three years network administrators will just put up with "the jungle 
out there."
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.