On Apr 23, 2013, at 10:21 AM, Edward Lewis <[email protected]> wrote:
> I'm going to attempt to reply to a few messages in one. … and I'm going to snip a whole bunch of text and just respond to part of it :-) [ SNIP ] > > On Apr 22, 2013, at 17:48, Warren Kumari wrote: > >> Um, I'm probably missing something obvious here, but you cannot use CDS to >> enroll in DNSSEC. This means that you'll have to use the original >> out-of-band system -- what if we extend Wes's radio buttons to include ZSK / >> KSK[0]? > > Ultimately, I'm still uncomfortable with anything that does not use the > out-of-band mechanism. Unfortunately the whole point of the CDS draft is to allow rolling of keys without having to do the whole out-of-band thing. The problem statement is basically: "It is really annoying to have to go to my registrar (or whatever other parental relationship I have) and click through a whole bunch of screens to finally get to the place where I enter the DS. I'm ok to do this once or twice, but having to do it <blargh> times every <foo> sucks and so I just don't do it at all". (where <blargh> is the number of domains I hold and <foo> is my key roll interval (and *please* let's not get into any religious arguments about the value (or even units) of <foo>)) > At the start of this thread was the question of "what if the secrecy of the > KSK private key is lost? How do you go forward?" You: 1: Curse. 2: Figure out how it happened. 3: Bitch at Bob, who decided to back it up by printing it out on a pile of 8.5"x11" and then left it under his keyboard. 4: Suck it up and log onto the registrars web site (or however else you securely communicate with your parent) and click the "Delete *ALL* DS records" button, then click the "Add DS record" button and manually enroll a new DS (just like you currently do…) 5: Remove Bob's sudo access. 6: Profit! > > Conventional wisdom du jure is that the only "gotta do it" reason for a key > change is just about that case. All the other reasons are more or less > window dressing. (Yes, you could totally lose the private key, but then > there's no way to roll out of it "in band.") This is only "conventional wisdom" amongst some folk -- some folk wish to be able to roll their keys every X weeks / months / years. This is for a variety of reasons, from the sane to the crazy, but it (IMO) their right to decide how often (or even if) they wish to roll. > I can't see how a reasonable approach can be made to work only in-band. > Ever. Where reasonable means "has no gaping holes that might actually happen > in operations. > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis > NeuStar You can leave a voice message at +1-571-434-5468 > > There are no answers - just tradeoffs, decisions, and responses. > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop -- There are only 10 types of people in this world -- those who understand binary arithmetic and those who don't. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
