morning Ed - thanks for reminding me. in that vein, there is a pending proposal to provide a proof of concept implementation of Internet-based "over the air" re-keying to facilitate un-scheduled key rollover. We've not (yet) augmented it to inculde an MofN set of hooks - but that would go a -long- way toward the "on the shelf" problem that RFC 5011 does not address well. Once we get it working, it is possible that we might bring it to the IETF for consideration. --bill On Mon, Feb 08, 2010 at 09:33:36AM -0500, Edward Lewis wrote:
At 15:12 +0100 2/8/10, Peter Koch wrote:
well, this may not lead anywhere useful.
Regretfully I agree with Peter on this point and in that way.
;)
No matter how long the Secure Entry Points (aka KSK) are in use, there will be a on-the-shelf piece of equipment that is turned on after the keys are history.
Bill Manning made attempts to characterize that problem years ago - the most recent San Diego IETF if I recall correctly. Every time someone has a case that solves for up to N, there's a case for N+1. (Months, zones, servers, years, you name it.)
Remember that DNSSEC is there to protect the resolver. I don't think there is any (or going to be any) one way that is manageable, scale-able, non-commercial (and/or open-source), quick, cheap, in-line, dynamic and convenient for zone operators to use to inform all recursive servers that there are new SEPs - whether just for the root zone or for all the zones, or even just for the roots of DNSSEC-ized subtrees.
Well, no "one way" known in advance of deployment.
Perhaps in two or three years we'll have an answer. Or in two or three years network administrators will just put up with "the jungle out there." -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction.