Trust anchor configuration and maintenance - PowerPoint PPT Presentation

About This Presentation
Title:

Trust anchor configuration and maintenance

Description:

Detects expired TA. After DNSKEY query. Right away. Can be used. Type in. Cut & paste. Human entering ... Use DS SHA256 as the TA configuration format. ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 7
Provided by: OlafurGud2
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Trust anchor configuration and maintenance


1
Trust anchor configuration and maintenance
  • Matt Larson (mlarson_at_verisign.com)
  • Ólafur Guðmundsson (ogud_at_ogud.com)

2
Motivations
  • Certain Trust Anchors need to be distributed
    out-of-band
  • One universal mechanism is better than many

3
What to configure for a TA?
DNSKEY DS
Size Large fixed
Human entering Cut paste Type in
Can be used Right away After DNSKEY query
Detects expired TA possibly yes
  • Public key of the trust anchor (DNSKEY)
  • Cryptographic hash (DS)

4
Recommendations
  • Use DS SHA256 as the TA configuration format.
  • Perform priming queries on demand and repeat when
    DNSKEY set expires due to TTL

5
TA Maintenance
  • Use the timers mechanism promoted by DNSEXT to go
    forward when possible
  • Get root key TA via trusted update mechanism
    (examples)
  • Software/OS updates
  • Specialized small software module checks for
    changes periodically

6
Next Steps
  • Would like DNSOP to adopt document
  • Open issues
  • Alternate more human friendly hash than DS?
  • More operational recommendations ?
Write a Comment
User Comments (0)
About PowerShow.com