<<<
Chronological Index
>>> <<<
Thread Index
>>>
Key Kept A-Rollin
- To: "comments-root-zone-consultation-08mar13@xxxxxxxxx" <comments-root-zone-consultation-08mar13@xxxxxxxxx>
- Subject: Key Kept A-Rollin
- From: Ralf Weber <Ralf.Weber@xxxxxxxxxxx>
- Date: Thu, 11 Apr 2013 07:21:31 +0000
Moin!
As the time has changed from 2009 when the root key was introduced great care
has to be taken for rolling it. There now is considerable deployment both on
the authoritative side as well as the recursive side validating. As failures in
the rollout will have a huge impact on validator clients and there really isn't
a mitigation strategy for failures at the root. I think there should be a
public test of a rollover on a separate infrastructure.
Such a setup was sort of available before the initial rollout where there was
an ICANN server that had a signed root with delegations that one could
configured as the root in it's server. As most if not all recursive server
implementations allow to configure different root hints from the ones supplied
with it setting up a special test setup to do one or more root KSK rollovers
should be possible. As vendors also have implemented tools to get the trust
anchor based on draft-jabley-dnssec-trust-anchor (
http://tools.ietf.org/html/draft-jabley-dnssec-trust-anchor ) setting up a test
setup for this would be a good idea also.
While this test might not catch all errors (especially the ones with stale
hard/software) there is a range of possible failures this setup would catch
that IMHO makes it worth pursuing it. And given that most people interested in
DNSSE are hanging around the IETF, ICANN or a small number of other DNSSEC or
DNS related groups/mailing lists I don't think it will be difficult to get
large enough group to make the test useful.
Once all is good in the test setup there should be couple of KSK rolls over a
shorter than normal period. How often and how frequent I don't have a
particular preferences other than the count should be greater than 1 and the
frequency more than 3 months and less than two years. What is important though
is that all the problems that are encountered during either the test or real
KSK rollovers will be documented in a public available document (e.g
informational IETF draft), so that future implementers/operators can learn from
it.
So long
-Ralf
---
Ralf Weber
Senior Infrastructure Architect
Nominum Inc.
2000 Seaport Blvd. Suite 400
Redwood City, California 94063
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|