[dnssec-deployment] meeting announcement: 25 May 2005

[Matt Larson]

On Tue, 24 May 2005, Steve Crocker wrote:
> I believe we need a well defined and effective means for enterprises to 
> distribute their keys when they're ready, even if the parent TLD is not 
> yet ready, but the overall system has to encourage and facilitate 
> adoption throughout the hierarchy.  This is not a trivial challenge and 
> it won't come along without some thought and implementation, but I also 
> think it's entirely feasible.  Let me press on a bit more.

There are some problems with such a scheme:

- Can validator implementations support the hundreds or thousands of
  trust anchors that would potentially result from such a scheme?

- How will these trust anchors be authenticated in this key store
  outside of the DNSSEC chain of trust?  (They have to be
  authenticated both going in and coming out, i.e., registration and
  distribution.)

- How will the keys be kept fresh once configured in validators
  throughout the Internet?  (I would never put my zone's key in such a
  store unless there were some reliable mechanism to keep it from
  getting stale, which is unlikely without a lot of additional work.)

All of these problems can be overcome with careful engineering, but is
it worth it?  I think our time is better spent on removing other
obstacles to deployment: Let's get the root signed.  Let's get NSEC3
out the door so registries with privacy and/or resource concerns can
deploy.  Let's work on operational documents.  But let's be careful
before we start down a path of trying to distribute and maintain lots
of trust anchors.

Matt