----- Original Message -----
From: "Matt Larson" <mlarson@verisign.com>
On Thu, 23 Dec 2010, Jay Ashworth wrote:
From: "Matt Larson" <mlarson@verisign.com>
The new KSK will not be published in an authenticated manner outside DNS (e.g., on an SSL-protected web page). Rather, the intended mechanism for trusting the new KSK is via the signed root zone: DS records corresponding to the new KSK are already present in the root zone.
That sounds like a policy decision... and I'm not sure I think it sounds like a *good* policy decision, but since no reasons were provided, it's difficult to tell.
Why was that decision taken, Matt?
Having a zone's KSK statically configured on validators as a trust anchor can lead to a world of hurt: when rolling the KSK, the zone owner has to get everyone to update their trust anchor configuration. In theory, the protocol described in RFC 5011 allows an operator to signal a roll and validators will do the right thing. In practice, in these early days, you can't count on much 5011 deployment because implementations haven't been available for that long.
Yes, I'd gathered that.
This situation puts the operator of a popular signed zone, such as a TLD, in a difficult position and makes KSK rolls difficult--but only if the KSK is statically configured. Meanwhile, we now have a perfectly good signed root zone that can vouch for any TLD's KSK. As a result, as the impending registry operator for .gov, VeriSign doesn't want to encourage static configuration of the .gov KSK as a trust anchor. Such static configuration would be made easier and implicitly condoned if the .gov KSK were published and authenticatable outside of DNS.
Ok, having re-read this a third time, now on a full sized screen, I guess I see what you're driving at: you don't *want* an out-of-band auth channel, *because people will use it*.
Note that the situation is the same today with the signed .net zone (and will be the same for the .com zone when it is signed in Q1 of 2011): the .net KSK is intentionally not published outside DNS. The path to trusting that key is via the signed DS record corresponding to it in the root zone.
Just remember what Lazarus Long said: "put all your eggs in one basket, certainly. But make sure it's a *very good* basket." Cheers, -- jr 'where am I going? And why am I in this handbasket?' a