Re: [DNSOP] KSK rollover choices

Joe Abley writes: > I think the wider problem space might be better described as trust > anchor publication and retrieval. Couldn't have said it better myself (more specifically, I didn't). The problem space is much bigger than 5011, and 5011 is but one tool to solve a piece of the whole

Re: [DNSOP] KSK rollover choices

On 1 Nov 2018, at 15:14, Wes Hardaker wrote: > Russ Housley writes: > >> It is a good time to do rfc5011-bis. Real world experience from the >> KSK roll makes a lot os sense to me. > > I think step one would be to list the aspects of it that worked well, > and the aspects that didn't. From

Re: [DNSOP] KSK rollover choices

Russ Housley writes: > It is a good time to do rfc5011-bis. Real world experience from the > KSK roll makes a lot os sense to me. I think step one would be to list the aspects of it that worked well, and the aspects that didn't. From that we can determine the need for a replacement and what

Re: [DNSOP] KSK rollover choices

> On Oct 30, 2018, at 8:27 PM, Mark Andrews wrote: > >> On 31 Oct 2018, at 11:16 am, Jim Reid wrote: >> >> On 30 Oct 2018, at 22:31, Mark Andrews wrote: >>> >>> Ultra frequent key rolls are not necessary. It takes years the latest >>> releases of name servers to make it into shipping

Re: [DNSOP] KSK rollover choices

On 10/31/2018 2:54 PM, Paul Vixie wrote: Jim Reid wrote: On 31 Oct 2018, at 00:27, Mark Andrews  wrote: Bootstrap is still a issue.  Over fast TA rolling makes it more of a issue. Indeed. And that's the underlying problem that needs to be fixed IMO - for instance when/if there's an

Re: [DNSOP] KSK rollover choices

Hi Paul, On 31 Oct 2018, at 14:54, Paul Vixie wrote: > Jim Reid wrote: > >>> On 31 Oct 2018, at 00:27, Mark Andrews wrote: >>> >>> Bootstrap is still a issue. Over fast TA rolling makes it more of >>> a issue. >> >> Indeed. And that's the underlying problem that needs to be fixed IMO >> -

Re: [DNSOP] KSK rollover choices

Jim Reid wrote: On 31 Oct 2018, at 00:27, Mark Andrews wrote: Bootstrap is still a issue. Over fast TA rolling makes it more of a issue. Indeed. And that's the underlying problem that needs to be fixed IMO - for instance when/if there's an emergency rollover. bootstrappers should

Re: [DNSOP] KSK rollover choices

> On 31 Oct 2018, at 00:27, Mark Andrews wrote: > > Bootstrap is still a issue. Over fast TA rolling makes it more of a issue. Indeed. And that's the underlying problem that needs to be fixed IMO - for instance when/if there's an emergency rollover.

[DNSOP] KSK rollover choices

Just a brief note that the threads about KSK futures started on the ksk-rollo...@icann.org mailing list and should probably still be there. The only bit that was meant to be on this Working Group mailing list was an announcement of the side-meetings next week.

Re: [DNSOP] KSK rollover choices

> On 31 Oct 2018, at 11:16 am, Jim Reid wrote: > > On 30 Oct 2018, at 22:31, Mark Andrews wrote: >> >> Ultra frequent key rolls are not necessary. It takes years the latest >> releases of name servers to make it into shipping OS’s. > > So what? Key rollover policies cannot and should not

[DNSOP] KSK rollover choices

On 30 Oct 2018, at 22:31, Mark Andrews wrote: > > Ultra frequent key rolls are not necessary. It takes years the latest > releases of name servers to make it into shipping OS’s. So what? Key rollover policies cannot and should not be driven by vendor OS release schedules. Or the

[DNSOP] KSK rollover postponed

https://www.icann.org/news/announcement-2017-09-27-en Thought this might be relevant to some. -- Mikael Abrahamssonemail: swm...@swm.pp.se ___ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop

[DNSOP] KSK rollover in .cz

Hi, I have just a quick information from DNSSEC movement in .cz. Next Tuesday we will start our first KSK rollover for .cz domain. We decided to chose stronger algorithm RSASHA512 and to switch from NSEC to NSEC3. That means we have to follow procedure for algorithm rollover as described in

Re: [DNSOP] KSK rollover

, May 13, 2010 8:56 AM Subject: [DNSOP] KSK rollover I have been thinking about KSK rollover in my DNSSEC implementation, and it seems that there is currently no specification for KSK rollover within the DNSSEC protocol. There is this expired requirements draft http://tools.ietf.org/wg

Re: [DNSOP] KSK rollover

On May 22 2010, George Barwood wrote: Well, I have uploaded a draft : http://www.ietf.org/id/draft-barwood-dnsop-ds-publish-00.txt Comments and/or indications of support are of course welome, on or off list. Section 3: | The CDS record MUST be signed with a Key Signing Key, that is a key |

Re: [DNSOP] KSK rollover

Chris, Thanks for your comments. - Original Message - From: Chris Thompson c...@cam.ac.uk To: George Barwood george.barw...@blueyonder.co.uk Cc: dnsop@ietf.org Sent: Saturday, May 22, 2010 8:07 PM Subject: Re: [DNSOP] KSK rollover On May 22 2010, George Barwood wrote: Well, I have

[DNSOP] KSK rollover

I have been thinking about KSK rollover in my DNSSEC implementation, and it seems that there is currently no specification for KSK rollover within the DNSSEC protocol. There is this expired requirements draft http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-key-rollover-requirements/ but

Re: [DNSOP] KSK rollover

On May 13, 2010, at 9:56 AM, George Barwood wrote: I have been thinking about KSK rollover in my DNSSEC implementation, and it seems that there is currently no specification for KSK rollover within the DNSSEC protocol. There is this expired requirements draft

Re: [DNSOP] KSK rollover

- Original Message - From: Patrik Wallstrom pa...@blipp.com To: George Barwood george.barw...@blueyonder.co.uk Cc: dnsop@ietf.org Sent: Thursday, May 13, 2010 9:06 AM Subject: Re: [DNSOP] KSK rollover On May 13, 2010, at 9:56 AM, George Barwood wrote: I have been thinking about KSK

Re: [DNSOP] KSK rollover

That is certainly relevant to rollover, but it doesn't specify any means by which the new DS records can be placed in the parent zone. You're correct, there's no mechanism for doing this within the DNS. You need to update DS records through your registrar just as you do with NS records and

Re: [DNSOP] KSK rollover

At 17:37 +0100 5/13/10, George Barwood wrote: I'm somewhat puzzled that thre is no specification, and apparently no activity on this. http://www.ripe.net/ripe/meetings/ripe-59/presentations/lewis-dnssec.pdf There's activity. There's no standard underway because of the plethora of

Re: [DNSOP] KSK rollover

In message 44c21cd9ee514b039eafeafa707a2...@local, George Barwood writes: - Original Message - From: Patrik Wallstrom pa...@blipp.com To: George Barwood george.barw...@blueyonder.co.uk Cc: dnsop@ietf.org Sent: Thursday, May 13, 2010 9:06 AM Subject: Re: [DNSOP] KSK rollover

Re: [DNSOP] KSK rollover

On 2010-05-13, at 19:33, Mark Andrews wrote: There are lots of way to do this. * Use UPDATE to update the delegation records in the parent. This would work today it only requires a willingness to do so. This can be done securely (TSIG) and will scale.

Re: [DNSOP] KSK rollover

On 2010-05-13, at 22:13, Joe Abley wrote: ... and there's also the approach that is actually being implemented, which is described in RFC 4310. Or 5910, since that seems to exist now. :-) Internet Engineering Task Force (IETF) J. Gould Request for Comments: 5910

Re: [DNSOP] KSK rollover

In message 74ae2b2b-a09a-4fbf-b6c3-7eebe89ca...@hopcount.ca, Joe Abley writes : On 2010-05-13, at 19:33, Mark Andrews wrote: There are lots of way to do this. * Use UPDATE to update the delegation records in the parent. This would work today it only requires a willingness