[Dnssec-deployment] DNSSEC4J and trust anchors
dougb at dougbarton.us
Mon Jan 30 21:47:25 EST 2012
On 01/30/2012 18:24, Michael StJohns wrote:
> At 09:06 PM 1/30/2012, Doug Barton wrote:
>>> why would creating a TLD test root key rollover?
>> The semantics for 5011 are pretty much the same, right?
> Yes but...
> Resolvers doing DNSSEC validation currently have a trust anchor set
> which includes the current root KSK. Adding and deleting keys in the
> root trust anchor would reach pretty much everyone.
Yes, I understand the difference. That's one of the reasons I'm
advocating not doing what you suggest.
> Creating a TLD to test roll-over probably wouldn't get you what you
> want. If the TLD chains to the root, 5011 has a mechanism to
> actually delete the trust point (depends on an
> implementation/configuration choice) which subordinates 5011
> semantics to the normal DNSSEC chain of trust semantics.
Again, right .... so don't do that. You could theoretically do some of
the same testing with a domain name in an existing TLD, but IMO we need
something as close to the root as we can get.
> Otherwise, you have to seed the TLD trust anchor across enough parts
> of the internet to make it useful - which means you have to get
> organizations and people involved, and that will take a while.
Again, right .... sort of like the examples I gave in the bit of my
first post that you snipped.
> Working with root using non-active SEP keys is going to get you
> everything you might possibly get with TLD anchors with the benefit
> of not requiring the setup time.
.... and with the potentially devastating drawbacks of bloated packet
sizes that you yourself pointed out. :)
It's always a long day; 86400 doesn't fit into a short.
Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price. :) http://SupersetSolutions.com/
More information about the Dnssec-deployment