Download
1 / 6
60 likes | 179 Vues
This document discusses the critical aspects of trust anchor (TA) configuration and maintenance, presented by Matt Larson and Ólafur Guðmundsson at IETF68. It emphasizes the necessity of distributing certain trust anchors out-of-band and advocates for a universal configuration mechanism. Key recommendations include utilizing SHA256 for TA configuration and conducting priming queries as DNSKEY approaches expiration. The talk also addresses maintenance strategies, such as leveraging DNSEXT timers and trusted update mechanisms. Finally, it highlights the need for DNSOP to adopt the document and seeks input on operational recommendations and alternative hash formats.
E N D
Trust anchor configuration and maintenance Matt Larson (mlarson@verisign.com) Ólafur Guðmundsson (ogud@ogud.com) DNSOP @ IETF68
Motivations • Certain Trust Anchors need to be distributed out-of-band • One universal mechanism is better than many DNSOP @ IETF68
What to configure for a TA? • Public key of the trust anchor (DNSKEY) • Cryptographic hash (DS) DNSOP @ IETF68
Recommendations • Use DS SHA256 as the TA configuration format. • Perform priming queries on demand and repeat when DNSKEY set expires due to TTL DNSOP @ IETF68
TA Maintenance • Use the timers mechanism promoted by DNSEXT to go forward when possible • Get root key TA via trusted update mechanism (examples) • Software/OS updates • Specialized small software module checks for changes periodically DNSOP @ IETF68
Next Steps • Would like DNSOP to adopt document • Open issues: • Alternate more human friendly hash than DS? • More operational recommendations ? DNSOP @ IETF68
