Trust anchor configuration and maintenance

1
Trust anchor configuration and maintenance

• Matt Larson (mlarson_at_verisign.com)
• Ólafur Guðmundsson (ogud_at_ogud.com)

2
Motivations

• Certain Trust Anchors need to be distributed
  out-of-band
• One universal mechanism is better than many

3
What to configure for a TA?
DNSKEY DS
Size Large fixed
Human entering Cut paste Type in
Can be used Right away After DNSKEY query
Detects expired TA possibly yes

• Public key of the trust anchor (DNSKEY)
• Cryptographic hash (DS)

4
Recommendations

• Use DS SHA256 as the TA configuration format.
• Perform priming queries on demand and repeat when
  DNSKEY set expires due to TTL

5
TA Maintenance

• Use the timers mechanism promoted by DNSEXT to go
  forward when possible
• Get root key TA via trusted update mechanism
  (examples)
• Software/OS updates
• Specialized small software module checks for
  changes periodically

6
Next Steps

• Would like DNSOP to adopt document
• Open issues
• Alternate more human friendly hash than DS?
• More operational recommendations ?