----- Original Message ----- > From: "Emily Shepherd" <em...@emilyshepherd.me> > To: "Mikael Abrahamsson" <swm...@swm.pp.se> > Cc: "dnsop" <dnsop@ietf.org> > Sent: Wednesday, 16 November, 2016 14:26:53 > Subject: Re: [DNSOP] DNSSEC operational issues long term
> On Wed, Nov 16, 2016 at 02:18:17PM +0100, Mikael Abrahamsson wrote: >>Ok, so what I see right now is DNSSEC punting the problem somewhere >>else. NTP is punting it somewhere else. TLS is punting it somehere >>else. > > I don't think this is what people are saying. The issue of trust anchor > updates is one that is not unique to DNSSEC, so it makes sense to look > at some of the solutions other systems which rely on chains of trust > use. What happens, for example, when a Certificate Authority needs to > replace its root certificate? Not only replace - but the ecosystem changes. If you wake-up a device that has been in box for 10 years, it has woke up to a work where Let's Encrypt is largest CA. And how likely it has support for modern crypto, or heck even for SHA2 CA trust anchors. If your device supports crypto it has to be vendor supported for all those 10 years, because frankly the world spins so fast now, that there are so many little things that could break, that DNSSEC is a least of your problems. Vendor has to provide a way how upload a new firmware (possibly in a way a common user can do that). Our phones are supported for 2-3 years and that's only when we are lucky. I strongly believe that you have built an use case to prove something is wrong, but I think it's your use case that's wrong in this case. Cheers, -- Ondřej Surý -- Technical Fellow -------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Milesovska 5, 130 00 Praha 3, Czech Republic mailto:ondrej.s...@nic.cz https://nic.cz/ -------------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
