[dnssec-deployment] meeting announcement: 25 May 2005

Steve Crocker steve at shinkuro.com
Tue May 24 15:17:56 EDT 2005

Matt Larson wrote:
> On Tue, 24 May 2005, Steve Crocker wrote:
>>I believe we need a well defined and effective means for enterprises to 
>>distribute their keys when they're ready, even if the parent TLD is not 
>>yet ready, but the overall system has to encourage and facilitate 
>>adoption throughout the hierarchy.  This is not a trivial challenge and 
>>it won't come along without some thought and implementation, but I also 
>>think it's entirely feasible.  Let me press on a bit more.
> There are some problems with such a scheme:
> - Can validator implementations support the hundreds or thousands of
>   trust anchors that would potentially result from such a scheme?

It would be really great to get a reasonable estimate on how big this 
number will actually be.  My guess is that hundreds or thousands is 
fine.  What happens if the number grows to tens or hundreds of thousands?

> - How will these trust anchors be authenticated in this key store
>   outside of the DNSSEC chain of trust?  (They have to be
>   authenticated both going in and coming out, i.e., registration and
>   distribution.)

Well, this is at the heart of the whole concept of having a separate 
store.  This certainly needs some sort of acceptable answer.

> - How will the keys be kept fresh once configured in validators
>   throughout the Internet?  (I would never put my zone's key in such a
>   store unless there were some reliable mechanism to keep it from
>   getting stale, which is unlikely without a lot of additional work.)

Good question.  I have some thoughts on this, but I will hold them for 
one round.

> All of these problems can be overcome with careful engineering, but is
> it worth it?  I think our time is better spent on removing other
> obstacles to deployment: Let's get the root signed.  Let's get NSEC3
> out the door so registries with privacy and/or resource concerns can
> deploy.  Let's work on operational documents.  But let's be careful
> before we start down a path of trying to distribute and maintain lots
> of trust anchors.

I completely agree we want to remove the barriers.  Getting the root 
signed is very high on the list.  The NSEC problem is also high on the 
list.  Whether we can hustle NSEC3 fast enough is more problematical.  I 
would not let up any pressure on these at all.

That said, I think it's inevitable that we have to find a way for an 
enterprise to proceed before its parent TLDs is signed and ready to 
serve its children.  To me, this is a key point, and this is a good time 
discuss it and determine whether we're in agreement on it.  I can 
understand the alternative point of view and I don't want to dismiss it. 
  I just think it's not the right bet.  Of course, it will indeed take 
time and energy to deal with the incremental deployment.  My believe is 
we simply need to do so.  But we need to get broader agreement and 
clarity of direction.


> Matt

More information about the Dnssec-deployment mailing list