On 2013-04-04, at 16:35, Mark Andrews <[email protected]> wrote: > Validators need to have end dates for DNSKEYS. If it starts up > after that date it goes to all insecure.
http://tools.ietf.org/html/draft-jabley-dnsop-validator-bootstrap-00 was a first attempt to describe how a validator should bootstrap itself. I got zero feedback that anybody was interested in that problem space, and the draft never went any further. I continue to think that behaviour upon cold boot is important to specify however, and if root zone KSK rollover thoughts have changed peoples minds about its usefulness, I'd gladly pick it up again. It needs some work (any sentence that includes the word "certificate" is liable to make Mr Hoffman shake his fist in its current form), but I think the basic approach described has merit. In general, if we acknowledge for the purposes of this discussion that root zone KSK rollovers will happen, and will happen often enough to care about mitigating damage during roll, I think we need a two-pronged approach to this problem space: 1. Use 5011 or some similar mechanism to accommodate key rollovers (for devices that are turned on often enough to be able to do that) 2. Carefully specify bootstrapping behaviour so that any cold-start of a long-dormant validator can be handled in some sane way. Joe _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
