Jim Reid wrote:
On 31 Oct 2018, at 00:27, Mark Andrews<ma...@isc.org> wrote:
Bootstrap is still a issue. Over fast TA rolling makes it more of
a issue.
Indeed. And that's the underlying problem that needs to be fixed IMO
- for instance when/if there's an emergency rollover.
bootstrappers should have https access to a complete history of root
ksk, each one signed by its predecessor. this doesn't handle revocation,
but nothing in dnssec handles revocation, and that's by design, and so
i'm inclined not to worry about it.
but that's the backup plan. the primary expectation is, devices which
come off the shelf after a dnssec ksk roll will have some means of
reaching and trusting their manufacturer's software update service,
which will offer them a current ksk for validation.
manufacturers who don't last long enough to do this, or who for whatever
other reason don't do this, will be shipping future bricks. and i'm fine
with that, since it's in their power to do the right thing, which is the
best we can offer.
--
P Vixie
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop