Hi,
today I have discovered something after talking to some people that know
more than I do.
Example:
I go to the store and buy two DNSSEC enabled devices that rely on DNSSEC
working for them to work.
I put one device on the network immediately and the other one on the
shelf. The one I plugged in works just fine for 10 years because it has
RFC5011 support.
Now after 10 years after plugging the first one in, I take the second one
off the shelf and plug it in. It will now not work because there has been
a root zone key rollover. I am told this is by design. This makes me a sad
panda.
We have a bootstrapping problem. My device has no way to know what time it
is so it can't verify certificates that might be used to update the key
material, and by above design decision, DNSSEC doesn't work.
I had some idea that DNSSEC could be used to sign a distribution of
roughtime (have someone sign a DATE+TIME TXT record so I at least know
approximately what day and time of day it is), so I could verify
certificates and then bootstrap myself that way.
I believe that this property of DNSSEC (put on shelf, take from shelf in
10 years, device now not working properly) is not well known in the wider
IETF community. Is this documented somewhere in plain text that everybody
will understand?
What's the current thinking of what a user should do with a device that
has only old root zone key material? Is there any guidance to vendors on
what they should instruct users to do in order to make their device
work again?
--
Mikael Abrahamsson email: swm...@swm.pp.se
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
