Hi all, This draft from 2011 emerged blinking into the sunlight from the grave where it expired, growling something about KSK rollovers and brains. Dave and I promptly wrestled it to the ground and locked it in the datatracker where we can safely poke sticks at it through the reinforced metal bars.
The original draft contained this prescient language: The possibility remains, however, that [RFC5011] signalling will not be available to a validator: e.g. certain classes of emergency KSK rollover may require a compromised KSK to be discarded more quickly than [RFC5011] specifies, or a validator might be off-line over the whole key-roll event. This document provides guidance on how DNSSEC Validators might determine an appropriate set of trust anchors to use at start-up, or when other mechanisms intended to allow key rollover to be tolerated gracefully are not available. Dave and I imagine this kind of thinking might be relevant and timely. Tim and Suz have kindly tolerated my increasingly frantic handwaving on this subject and have offered me some minutes in the dnsop meeting tomorrow, where I intend to suggest that a specification along these lines is necessary and that the working group should take this on. Joe > Begin forwarded message: > > From: internet-dra...@ietf.org > Subject: New Version Notification for > draft-jabley-dnsop-bootstrap-validator-00.txt > Date: 19 March 2018 at 14:59:53 GMT > To: "Joe Abley" <jab...@afilias.info>, "Dave Knight" > <dave.knight@team.neustar> > > > A new version of I-D, draft-jabley-dnsop-bootstrap-validator-00.txt > has been successfully submitted by Joe Abley and posted to the > IETF repository. > > Name: draft-jabley-dnsop-bootstrap-validator > Revision: 00 > Title: Establishing an Appropriate Root Zone DNSSEC Trust > Anchor at Startup > Document date: 2018-03-19 > Group: Individual Submission > Pages: 9 > URL: > https://www.ietf.org/internet-drafts/draft-jabley-dnsop-bootstrap-validator-00.txt > Status: > https://datatracker.ietf.org/doc/draft-jabley-dnsop-bootstrap-validator/ > Htmlized: > https://tools.ietf.org/html/draft-jabley-dnsop-bootstrap-validator-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-jabley-dnsop-bootstrap-validator > > > Abstract: > Domain Name System Security Extensions (DNSSEC) allow cryptographic > signatures to be used to validate responses received from the Domain > Name System (DNS). A DNS client which validates such signatures is > known as a validator. > > The choice of appropriate root zone trust anchor for a validator is > expected to vary over time as the corresponding cryptographic keys > used in DNSSEC are changed. > > This document provides guidance on how validators might determine an > appropriate trust anchor for the root zone to use at start-up, or > when other mechanisms intended to allow key rollover to be tolerated > gracefully are not available. > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org. > > The IETF Secretariat >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
