On 27 Apr 2024, at 03:37, Warren Kumari <[email protected]> wrote:
>>> For the record, the last time a ccTLD published a revoked SEP key was April
>>> 9, 2019 (this was not the revocation of the root zone KSK but a TLD's KSK),
>>> so I know that none of the TLDs have completed an Automated Updates roll
>>> since then.
>
>
> I don't really understand under what conditions I'd want to have a
> trust-anchor for any (public) zone.
Every zone administrator has the problem of key distribution if relying parties
who want to validate signatures exist (if it can be established that none
exist, why sign your zone). There are multiple approaches that can be used, of
which publishing key material in your parent zone is just one. Just because we
might think that's the right method for most people and most zones doesn't mean
it's the only method.
Different zones and different zone administrators can reasonably make different
assessments of risk when it comes to trust anchor distribution. There is
nothing to stop a particular zone administrator making the local assessment
that they don't like the practices associated with their parent zone, or their
parent's parent, for example, especially if their concerns are concentrated
around validation by a known set of relying parties. Zones exist which are not
discoverable by referral responses (you have to know where the auth servers
are), which means secure referrals are not available, and such zones want to
offer validation they need other methods for key distribution.
It's a big Internet. There is a lot of surprising stuff in it. I find it's
usually a mistake to imagine that anybody knows how all of it works just
because they know how some of it works. Thinking the opposite and turning over
rocks can reveal some interesting things.
Joe
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
