Re: [dns-operations] A request for "data"
On 27 Apr 2024, at 03:37, Warren Kumari wrote: >>> For the record, the last time a ccTLD published a revoked SEP key was April >>> 9, 2019 (this was not the revocation of the root zone KSK but a TLD's KSK), >>> so I know that none of the TLDs have completed an Automated Updates roll >>> since then. > > > I don't really understand under what conditions I'd want to have a > trust-anchor for any (public) zone. Every zone administrator has the problem of key distribution if relying parties who want to validate signatures exist (if it can be established that none exist, why sign your zone). There are multiple approaches that can be used, of which publishing key material in your parent zone is just one. Just because we might think that's the right method for most people and most zones doesn't mean it's the only method. Different zones and different zone administrators can reasonably make different assessments of risk when it comes to trust anchor distribution. There is nothing to stop a particular zone administrator making the local assessment that they don't like the practices associated with their parent zone, or their parent's parent, for example, especially if their concerns are concentrated around validation by a known set of relying parties. Zones exist which are not discoverable by referral responses (you have to know where the auth servers are), which means secure referrals are not available, and such zones want to offer validation they need other methods for key distribution. It's a big Internet. There is a lot of surprising stuff in it. I find it's usually a mistake to imagine that anybody knows how all of it works just because they know how some of it works. Thinking the opposite and turning over rocks can reveal some interesting things. Joe___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] A request for "data"
On Thu, Apr 25 2024 at 12:15 PM, Tim Wicinski wrote: I know in our fancy pants nominum s/w we run at cox I add the > line "managed-keys" and like magic we're pulling 5011 automagic maintained. > > got time later today? I am open > > On Thu, Apr 25, 2024 at 11:58 AM Edward Lewis > wrote: > >> An open question... >> >> Is anyone aware of any use of Automated Updates of DNS Trust Anchors, >> documented in RFC 5011, in the last 5 years or so? Does anyone know of a >> zone (other than the root) that documents or publicizes a reliance on >> Automated Updates? >> > Probably not, because there are really any (public) trust anchors other than the root. >> For the record, the last time a ccTLD published a revoked SEP key was April >> 9, 2019 (this was not the revocation of the root zone KSK but a TLD's >> KSK), so I know that none of the TLDs have completed an Automated Updates >> roll since then. >> > I don't really understand under what conditions I'd want to have a trust-anchor for any (public) zone. The root is signed, the TLDs publish their DS in the root, 2nd levels publish in the TLD, etc. Having a trust anchor for anything under the root seems to just be asking for trouble — if a TLD needed to roll their keys (because of compromise or just on schedule) they can easily and quickly do so under the current paradigm. If I've also installed their key as a separate TA they have a whole long and involved process to go through. The only time that I could see this being "useful" would be if I were in a country that wanted to be able to disconnect itself from the public Internet for an extended period of time… >> I have no historical data below the TLD level, so I'm seeking anecdotal >> evidence of reliance on Automated Updates anywhere (else) in the global >> public Internet. I doubt there is any, but that is based on absolutely no >> data and personal assumptions. >> >> Yeah, I think that we have both been saying "public" throughout this thread because there may well be uses of this for private, non-Internet connected zones, which we will not really be able to see… W Private replies are fine...I'm not trying to name operators, just evaluate >> the mechanism's adoption. >> >> Ed Lewis >> >> >> >> ___ >> dns-operations mailing list >> dns-operations@lists.dns-oarc.net >> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >> > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] A request for "data"
I know in our fancy pants nominum s/w we run at cox I add the line "managed-keys" and like magic we're pulling 5011 automagic maintained. got time later today? I am open On Thu, Apr 25, 2024 at 11:58 AM Edward Lewis wrote: > An open question... > > Is anyone aware of any use of Automated Updates of DNS Trust Anchors, > documented in RFC 5011, in the last 5 years or so? Does anyone know of a > zone (other than the root) that documents or publicizes a reliance on > Automated Updates? > > For the record, the last time a ccTLD published a revoked SEP key was > April 9, 2019 (this was not the revocation of the root zone KSK but a TLD's > KSK), so I know that none of the TLDs have completed an Automated Updates > roll since then. > > I have no historical data below the TLD level, so I'm seeking anecdotal > evidence of reliance on Automated Updates anywhere (else) in the global > public Internet. I doubt there is any, but that is based on absolutely no > data and personal assumptions. > > Private replies are fine...I'm not trying to name operators, just evaluate > the mechanism's adoption. > > Ed Lewis > > > > ___ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] A request for "data"
An open question... Is anyone aware of any use of Automated Updates of DNS Trust Anchors, documented in RFC 5011, in the last 5 years or so? Does anyone know of a zone (other than the root) that documents or publicizes a reliance on Automated Updates? For the record, the last time a ccTLD published a revoked SEP key was April 9, 2019 (this was not the revocation of the root zone KSK but a TLD's KSK), so I know that none of the TLDs have completed an Automated Updates roll since then. I have no historical data below the TLD level, so I'm seeking anecdotal evidence of reliance on Automated Updates anywhere (else) in the global public Internet. I doubt there is any, but that is based on absolutely no data and personal assumptions. Private replies are fine...I'm not trying to name operators, just evaluate the mechanism's adoption. Ed Lewis ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations