Re: public consultation on root zone KSK rollover
The topic at hand and the specific questions that have been asked as part of the consultation are important ones;
Do it when you feel like, nobody should notice. Anything this important should be routine procedure, make it daily.
You do realize this requires changing validating resolver configuration data, right?
Yes. How hard can it be (answer not required). While it's quaint that the elders of the internet meet and bless each new key I don't think this scales. I know it's not easy but it needs to be simple and automatic for wide deployment. brandon
Brandon, On Apr 4, 2013, at 5:35 PM, Brandon Butterworth <brandon@rd.bbc.co.uk> wrote:
You do realize this requires changing validating resolver configuration data, right?
Yes. How hard can it be (answer not required).
While it's quaint that the elders of the internet meet and bless each new key I don't think this scales.
The point of the wildly over-engineered root key signing ceremony is to build trust by publicly demonstrating at every step there is no opportunity for intentional or accidental badness to occur without being noticed. Compare this to the processes used by commercial X.509CAs when they roll their root keys (you might also want to look at how often they roll their keys).
I know it's not easy but it needs to be simple and automatic for wide deployment.
Even with RFC 5011 support in every validating resolver on the planet (not holding my breath), this requires all of those validating resolvers to accept a directive from the "outside" which instructs software to write something to permanent storage. I can easily imagine some folks being a bit nervous about this. Particularly given it would seem some CPE developers can't figure out how to write DNS resolvers that can be configured to not respond to arbitrary external queries. Frequency of root key rolling is actually a fairly complicated risk/benefit tradeoff. Frequently rolling means its more likely that the roll will be successful globally. However, it also increases the risk of (a) breaking DNS resolution for some percentage of the Internet and (b) catastrophically failing such that RFC 5011-style rollover will no longer work necessitating a manual reconfiguration of every validating resolver on the Internet. "Choose wisely". In any event, if you haven't already I would encourage you to provide comments at the URL Joe referenced. Regards, -drc
< rant >
The point of the wildly over-engineered root key signing ceremony is to build trust by publicly demonstrating at every step there is no opportunity for intentional or accidental badness to occur without being noticed.
at some point, long passed, the more pomp, the less safe i feel. there is protecting against technical/engineering threats and protecting against layer 8 through 11. through complexity, it compromises the technical protection to go overboard on the lawyer defense. from this bottom feeder's pov, icann, verisign, doc, ... are too often the layer 8 through 11 threat than part of the engineering solution.
In any event, if you haven't already I would encourage you to provide comments at the URL Joe referenced.
definitely. after all, commenting on icann insanities has had such serious beneficial effect for the good of the internet in the past. randy
Randy, On Apr 6, 2013, at 7:10 AM, Randy Bush <randy@psg.com> wrote:
at some point, long passed, the more pomp, the less safe i feel.
Have you actually watched/participated in a root key signing ceremony? Pomp is not the term I would use.
there is protecting against technical/engineering threats and protecting against layer 8 through 11. through complexity, it compromises the technical protection to go overboard on the lawyer defense.
Technical protection like those that protected Diginotar's customers? The elaborate root key signing ceremony is designed to ensure all aspects of root key management are open, transparent, and can be audited by anyone. While I'd agree that it is non-technical, the technical/engineering part is the easy bit. Protecting against insiders, laziness, and stupidity is _far_ harder.
In any event, if you haven't already I would encourage you to provide comments at the URL Joe referenced.
definitely. after all, commenting on icann insanities has had such serious beneficial effect for the good of the internet in the past.
I can guarantee that providing comments are infinitely more likely to have an impact than stomping off in a huff :) Regards, -drc
participants (3)
-
Brandon Butterworth
-
David Conrad
-
Randy Bush