Edward Lewis wrote:
> Also, what was not anticipated was the coming of automated provisioning,
Yes, it was anticipated.
It was obvious from the beginning of DNSSEC that automated provisioning
operationally unavoidable.
> At the time too -
> HSMs didn't exist in our world, and we still thought that all signing
> would be done on a machine with an air-gap to the Internet.
In draft-ohta-simple-dns-00.txt (August 1994), it is already written
In
cases where frequent and/or automatic update of a zone is desired, it
is necessary to make signature generation mechanism of the zone
accessible on-line. Still, it is worthwhile to keep the secret
information and secure time stamping mechanism of the zone off-line.
HSM was also considered but was not essential, because secret keys of
signature genration mechanisms may be physically protected in various
ways.
> So many assumptions have changed...but the idea of KSK/ZSK hasn't.
It is merely that your assumptions including that on KSK/ZSK have
been bogus.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
