On 30 Jun 2021, at 14:59, Peter van Dijk <peter.van.d...@powerdns.com> wrote:
> I feel that the right mechanism for root key distribution is software > distributors. This is working fine for the CA system, and with keys announced > far enough in advance, should work fine for DNSSEC. Software distributors > have solved this problem; they are very good at distributing things; I > suggest we let them solve this for us. We actually spent some time back in 2009/2010 packaging trust anchors in a way that could take advantage of existing (e.g. code-signing) PKIs, specifically to facilitate distribution to software vendors. I haven't checked very recently, but I don't think there was any sign that the mechanism was being used by anybody in the decade or so that followed. See RFC 7958 section 2.3. I mention this simply because it was our best guess at the time at how to distribute trust anchors securely (with a respectable chain of custody) from the KMF in which the keys were generated right through to the code publication pipeline operated by software vendors. Quite possibly it was a bad guess. Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop