A New Internet-Draft is available from the on-line Internet-Drafts directories.
Title : Signalling of DNS Security (DNSSEC) Trust Anchors
Authors : Warren Kumari
Geoff Huston
Evan Hunt
Roy Arends
Filename : draft-wkumari-dnsop-trust-management-01.txt
Pages : 9
Date : 2015-10-05
Abstract:
[ Editor note: This originally included a mechanism to actually roll
the keys (like RFC5011 does), but feedback from the Prague meeting
indicated a strong preference for signalling only. ]
This document describes a simple method for validating recursive
resolvers to signal their configured list of DNSSEC trust anchors.
This mechanism allows the trust anchor maintainer to monitor the
progress of the migration to a new trust anchor, and so predict the
effect before decommissioning the existing trust anchor.
It is primarily aimed at the root DNSSEC trust anchor, but should be
applicable to trust anchors elsewhere in the DNS as well.
[ Ed note - informal summary: One of the big issues with rolling the
root key is that it is unclear who all is using RFC5011, who all has
successfully fetched and installed the new key, and, most
importantly, who all will die when the old key is revoked. By having
resolvers query for a special QNAME, comprised of the list of TAs
that it knows about, we effectively signal "up stream" to the
authoritative server. By querying for this name, the recursive
exposes its list of TAs to this authoritative server. This allows
the TA maintainer to gather information relating to the state of TAs
on resolvers.]
[ Ed note: Text inside square brackets ([]) is additional background
information, answers to frequently asked questions, general musings,
etc. They will be removed before publication.]
[ This document is being collaborated on in Github at:
https://github.com/wkumari/draft-wkumari-dnsop-trust-management. The
most recent version of the document, open issues, etc should all be
available here. The authors (gratefully) accept pull requests ]
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-wkumari-dnsop-trust-management/
There's also a htmlized version available at:
https://tools.ietf.org/html/draft-wkumari-dnsop-trust-management-01
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-wkumari-dnsop-trust-management-01
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
I-D-Announce mailing list
I-D-Announce@ietf.org
https://www.ietf.org/mailman/listinfo/i-d-announce
Internet-Draft directories: http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
