On 6 Apr 2013, at 10:04, Joe Abley <jab...@hopcount.ca> wrote: > On 2013-04-06, at 16:55, Tony Finch <d...@dotat.at> wrote: >> >> Validator vendors have to provide an out-of-band trust anchor update >> mechanism to cope with this. It needs to be coded and included in long-term >> support releases of validators and operating systems before rollover, I >> think. > > draft-jabley-dnsop-validator-bootstrap.
Still needs implementation. My point about trustworthiness is that there is (as far as I know) no documentation of how the private keys are managed for the certificates / signatures on the trust anchor files, which rather undermines the elaborate root KSK management. I am also worried about being vulnerable to a screwup by any number of CAs; it would be good to pin the list of CA certs that might be used to verify the DNS trust anchor signatures. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop