On Thu, 4 Apr 2013, Paul Hoffman wrote:
I think nothing is needed here except perhaps a statement of the bleeding obvious:
"if you miss too many key rollovers, Very Bad Things will happen so make sure you
have a foolproof way of recovering from that".
We need that statement because it's *not* bleeding obvious. I cannot think of a single thing built
into a 2007-era ISO of a Linux distro that would have the property similar to "it will
automatically give mysterious results for DNS service". It might have lots of unsafe software
turned on, but none that will say "I'll serve you" but then it doesn't.
eg Have some out of band means of fetching and verifying the current version of
the One True Trust Anchor.
And has the IETF supplied anything like that? If not, should ICANN wait for the
first roll until we have?
The only thing we have is the ICANN PEM bundle, and unbound-anchor like
mechanisms where we try to get the root key verified by the signed
certificate of ICANN. But it all depends on the security of the CA's,
and an ever lasting URL at the icann site for the bundle and the
continued publication of the certs and root keys there. None of which
I believe is codified in an RFC.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
