Re: .gov DNSSEC operational message

["Kevin Oberman" <oberman () es net>]

> Date: Tue, 28 Dec 2010 22:34:20 -0500 (EST)
> From: Jay Ashworth <jra () baylink com>
>
> ---- Original Message -----
> > From: "Kevin Oberman" <oberman () es net>
>
> > There is no reason that you could not do OOB transfers of keys, but it
> > would be so cumbersome with the need to maintain keys for every TLD
> > (and, for that matter, every zone under them) and deal with key rolls
> > at random intervals and confirm that the new keys you were getting were,
> > in fact legitimate would be more than overwhelming. It just does not
> > scale.
>
> I apologize; I was not clear.
>
> I was not suggesting OOB *production transfer of keying information*.
>
> I was rather suggesting that an additional publication of the keys, in
> an authenticatable manner, which could be used by anyone who believed
> that Something Hincky might be going on to confirm or deny, might be
> useful.

Ahh. I did miss your point and I suspect others (other than Bill) might
have, as well.

Yes, having a verifiable source of keys OOB might have a small bit of
value, but, assuming we get general adoption of RFC 5011, I think it's
pretty limited value. Of course, this begs the question, how do we do a
better job of verifying the keys received out of band than the root zone
does of verifying the keys? Sort of a chicken and egg problem.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman () es net                       Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751