On Tue, Dec 28, 2010 at 08:07:22PM -0800, Kevin Oberman wrote:
Yes, having a verifiable source of keys OOB might have a small bit of value, but, assuming we get general adoption of RFC 5011, I think it's pretty limited value. Of course, this begs the question, how do we do a better job of verifying the keys received out of band than the root zone does of verifying the keys? Sort of a chicken and egg problem. -- R. Kevin Oberman, Network Engineer
presumes RFC 5011 is viable. fall outside the 30day window and your screwed. :) that said, what folks came up w/ for the root key roll might be a useful template, e.g. the use of TCR's and use an M/N assurance check - in those rare cases where your just foobarr'ed and you can't take your servers into the SCIF to rekey. and/or an alternative to the strict timing constraints in RFC 5011 with a protocol that gives more leyway for a node being offline over a keyroll interval. There -should- be a functional equivalent of OTAR for DNSSEC keys that is not constrained to a tight window... IMHO of course. --bill