[Dnssec-deployment] DNSSEC4J and trust anchors
mstjohns at comcast.net
Mon Jan 30 21:24:57 EST 2012
At 09:06 PM 1/30/2012, Doug Barton wrote:
>> why would creating a TLD test root key rollover?
>The semantics for 5011 are pretty much the same, right?
Resolvers doing DNSSEC validation currently have a trust anchor set which includes the current root KSK. Adding and deleting keys in the root trust anchor would reach pretty much everyone.
Creating a TLD to test roll-over probably wouldn't get you what you want. If the TLD chains to the root, 5011 has a mechanism to actually delete the trust point (depends on an implementation/configuration choice) which subordinates 5011 semantics to the normal DNSSEC chain of trust semantics.
Otherwise, you have to seed the TLD trust anchor across enough parts of the internet to make it useful - which means you have to get organizations and people involved, and that will take a while.
Working with root using non-active SEP keys is going to get you everything you might possibly get with TLD anchors with the benefit of not requiring the setup time.
More information about the Dnssec-deployment