dnssec key management policy · 2010-07-28 · key management july 21, 2010 [email protected] 3...
TRANSCRIPT
![Page 2: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/2.jpg)
Agenda
• WhatisKeyManagement?• WhyandWhereitfits?
• KeyManagementindetail
• Ourexperiencein"dotUS"and"dotBIZ"
July21,2010 [email protected] 2
![Page 3: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/3.jpg)
KeyManagement
July21,2010 [email protected] 3
• IlearnedalotbyreadingUSNISTdocuments– IamnotsureifthesameexistinJapan
• AreadinglistforKeyManagement&DNSSEC– hVp://csrc.nist.gov/publicaZons/PubsSPs.html– SP800‐57,alsoseeSP800‐53,SP800‐81
• HelpfulinformaZononHSMdevices– hVp://csrc.nist.gov/publicaZons/PubsFIPS.html– FIPS140‐2
![Page 4: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/4.jpg)
WhyManageKeys?
• DNSSECuseskeystoproducedigitalsignatures• Keysareusedindifferentways
• Keyshave"lifeZmes"andcannotbeconsideredtobe"forever"
• Thereisalotofdebateonhowlongtouseakeyandhowakeyshouldbeused
July21,2010 [email protected] 4
![Page 5: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/5.jpg)
電子署名の概念
July21,2010 [email protected] 5
公開鍵
秘密鍵
鍵生成
ランダム番号ジェネレータ
署名生成 署名検証
秘密鍵
平文
公開鍵
平文
ハッシュ関数 ハッシュ関数
平文
電子署名 電子署名
![Page 6: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/6.jpg)
Thegreybox
• Onthepreviousslideagrayboxgroups– 鍵生成
– 署名生成– ランダム番号ジェネレータ– ハッシュ関数
• ThesefuncZonsmaybeinasodwarelibrary(likeOpenSSL)ormaybeinanHardwareSecurityModule(HSM)
July21,2010 [email protected] 6
![Page 7: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/7.jpg)
3waysdatachangesinDNSSEC
• Zonefile'sdatachanges(sameinDNS)– Newhosts/addresses/etc.
• Signaturesexpire(newinDNSSEC)– DNSSECreliesonexpiraZonZmeforrevocaZon– Signatureshavetobe"refreshed"
• Key/cryptographicmaterialchanges(alsonew)– Keysandalgorithmsdon'tlastforever– RecoveryfromanaVackmayrequirenewkeys
July21,2010 [email protected] 7
![Page 8: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/8.jpg)
HSMDNSSECFlow
July21,2010 [email protected] 8
鍵生成
署名生成
鍵キャッシュDNSSEC署名手順
DNSSECの鍵管理
DNSゾーンデータベース
DNSSECの署名の管理
ネームサーバ
ランダム番号ジェネレータ
秘密鍵
公開鍵
![Page 9: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/9.jpg)
HSM&DNSSEC署名手順
• HSMorsodwarecryptographiclibrary– Providesthe"mathemaZcmuscle"forcryptography
– (non‐HSM:Openssllibraries)
• DNSSEC署名手順signscurrentdatawithcurrentkeys– PutsthecryptographyintoDNSSECrecords,zones– Feedsthenameserver
July21,2010 [email protected] 9
![Page 10: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/10.jpg)
WhenandHow(toSign)Policy
• Decisionofwhentosignisgovernedby– DNSゾーンデータベースbecausedataischanged
– DNSSECの署名の管理becausesignaturesareexpiring(orwall‐clockalarmstrikes)
• Decisionofwhatkeytouseisgovernedby– DNSSECの鍵管理hastomanagethecurrentsetandchangestothenextsetofkeys
July21,2010 [email protected] 10
![Page 11: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/11.jpg)
PleaseRecycle
• Regarding"whentosign"– GeneraZngnewsignaturesbeforeitisnecessarytodosoisdiscouraged
– ZonetransfersbecomelargeandnameserverssZllarenotgoodatjugglingzonetransfersandqueries
• IfazoneisstaZc,letsignatureslivelongandrefreshthemwithshortoverlaps
July21,2010 [email protected] 11
![Page 12: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/12.jpg)
DNSゾーンデータベース
• ChangestothezonecontentswillcauseDNSSECsigningtohappen– Userchangestothezone(newhost)– DNSSECの鍵管理deliversanew公開鍵– (Notshown)NSEC3parameterischanged
• Policy– Azonemustalwayshaveacompletesetoffreshsignatures.NoexcepZons!
July21,2010 [email protected] 12
![Page 13: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/13.jpg)
DNSSECの署名の管理
• DNSSECsignatureshaveexpiraZonZmes– Whenasignatureexpiresitmustberefreshed
– UsuallythisfuncZonisbuiltintoothertools• Policy– Ruleofthumb,refreshsignaturewellbeforeexpiraZontogiveenoughZmeto"recover"fromafailure
July21,2010 [email protected] 13
![Page 14: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/14.jpg)
DNSSECの鍵管理
• DeterminesiftheexisZngkeysare"good"orifthereisaneedtochange
• KeyManagementPolicy– Followingslides
• PolicyimplementaZon– Requiresnewkeypairstobegenerated– SendsDNSゾーンデータベースnewpublickeys– Rotateskeysintoandoutofservice– Revokeskeys
July21,2010 [email protected] 14
![Page 15: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/15.jpg)
KeyManagementPolicyAspects
• Keyroles– UseKSK/ZSKornot?FollowRFC5011?
• Keyalgorithm(andhash)andsize– RSASHA256?SHA1?SHA512?GOST?– 1024bitsor2048bits?
• KeylifeZme– DuraZonofkey"effecZvity"period– ProcedureandZmingofkeychange
July21,2010 [email protected] 15
![Page 16: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/16.jpg)
KeyRoles
• ChooseKSK/ZSKorjustonekey?– Iftheparentzoneisfastandresponsive,onekeyisgood
– Butiftheparentisslow,theKSK/ZSKapproachisworththemanagementoftheextrakey
• KSK/ZSK– AssumedbyDNSSECearlyadopters,notarequirement
– SeeRFC4641July21,2010 [email protected] 16
![Page 17: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/17.jpg)
KSK/ZSK
July21,2010 [email protected] 17
ParentZone子ゾーン.日本 DS1234582A057C8553....
ChildZone...子ゾーン.日本 DNSKEY257...;keyid=12345子ゾーン.日本 DNSKEY256...;keyid=32123子ゾーン.日本 RRSIGDNSKEY...;by12345
TheZSK
![Page 18: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/18.jpg)
SingleKeyDNSSEC
• Managing1keyissimplerthanmanaging2• Butonlyifyouhavea"quick"relaZonshipwithyourparentzone– NeedtochangetheDSrecordeveryZmeyouchangethekeysigningthezone
– Or,ifyouneverchangekeys...• SincetheinvenZonofEPP,thisisplausible– Youcantryit,butIsZllencourageKSK/ZSK
July21,2010 [email protected] 18
![Page 19: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/19.jpg)
SingleKey"Chain"
July21,2010 [email protected] 19
ParentZone子ゾーン.日本 DS1234582A057C8553....
ChildZone...子ゾーン.日本 DNSKEY257...;keyid=12345子ゾーン.日本 RRSIGDNSKEY...;by12345
TheZSK
![Page 20: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/20.jpg)
RFC5011
• Managementoftrustanchors– AnewkeyhastobepresentforsomeZmetoverifyitisindeedanewkey
– ArevokedkeyismarkedandsignedforsomeZmetoverifythekeyisremoved
• Intendedforusewheretheparentzoneisnotsignedorwon'tholdDSrecords
July21,2010 [email protected] 20
![Page 21: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/21.jpg)
KeyAlgorithmandSize
• DSA,RSA,RSA+NSEC3,GOST– SeehVp://www.iana.org/assignments/dns‐sec‐alg‐numbers/dns‐sec‐alg‐numbers.xhtml
• HashfuncZon– SHA‐1,SHA‐256orsomethingelse?
– SHA‐1isconsideredtobe"old"butsZllinuse• Size– Longerishardertobreak,slowertouse
July21,2010 [email protected] 21
![Page 22: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/22.jpg)
TheHashFuncZon
• SHA1– Publishedin1995– 160bits– Widespread,butgerngtobe"breakable"
• SHA2(orSHA256orSHA512)– Publishedin2001– 224/256or384/512bits– Morebits,harderto"break"
July21,2010 [email protected] 22
![Page 23: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/23.jpg)
IslongerbeVerandslower?
• Alongerkeyisthoughttobe– harderto"crack"soitismoresecure
– hardertoprocesssoitislessefficient
• Whatdocryptographersfeel?– DNSSECisusesasubsetofcryptographicfuncZons– Thereisn'tenoughuseofakeytocrackit,provideditisstrongenough(1024bits)
• Frankly,noonehasenoughexperienceyet
July21,2010 [email protected] 23
![Page 24: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/24.jpg)
KeyLifeZme
• LifeZme,fromcreaZontodeleZon,comprises– KeyeffecZvityperiod,theduraZonakeyisusedcryptographically
– KeyDNSSEClifeZme,theduraZonsneededtopublishandremoveakey,DNSTTLplaysarole
– RFC5011impactsZmingtoallowdetecZonofkeychangesifthereisnoparentsigning
July21,2010 [email protected] 24
![Page 25: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/25.jpg)
KeyeffecZvityperiod
• Thereissomedebate– DNSSECdevelopersthoughtthatkeyshadtobechangedbecauseofcryptographicproperZes
– Cryptographershavesaid(opinion)thatkeyswillbegood"unZlbroken"(whichistrue)
– InoperaZons,regularchangesaregoodbecause• Brokenkeysmaynotbedetected• Keyscannotberevoked(RFC5011isaspecialcase)• OperaZonalscriptsneedtobeexercised
July21,2010 [email protected] 25
![Page 26: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/26.jpg)
TTLimpacts
• hVp://tools.iet.org/html/drad‐morris‐dnsop‐dnssec‐key‐Zming‐02
• AssumeakeyiseffecZvefor3months
• WhataboutDNSzoneandcachepropagaZon?– Anewkeyhastobepre‐publishedtoavoidacachewitha"newdatasignatureandoldkeys."
– AnoldkeyhastohandaroundunZlallofitssignaturesaregone
July21,2010 [email protected] 26
![Page 27: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/27.jpg)
CacheImpact
July21,2010 [email protected] 27
Auth
NS
2日
0日
3日
1日
Cache
NS
Cache
NS
Cache
NS
公開鍵#2
公開鍵#1
公開鍵#1
公開鍵#1
Auth
NS
Cache
NS
Cache
NS
Cache
NS
公開鍵#2
公開鍵#1
公開鍵#2
公開鍵#1
Auth
NS
Cache
NS
Cache
NS
Cache
NS
公開鍵#2
公開鍵#2
公開鍵#2
公開鍵#1
Auth
NS
Cache
NS
Cache
NS
Cache
NS
公開鍵#2
公開鍵#2
公開鍵#2
公開鍵#2
![Page 28: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/28.jpg)
DNSSECBasicDNSKEYcycle
July21,2010 [email protected] 28
t=0 t=1 t=2 t=3
• t=0DNSKEYisaddedtozone• unZlt=1Somecacheswillhavetheoldset
• t=1AllcachesshouldhaveDNSKEY• unZlt=2PrivatekeycanmakeRRSIG
• t=2privatekeyreZred• unZlt=3RRSIGsinCaches,DNSKEYneeded• t=3DNSKEYisremovedfromzone
![Page 29: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/29.jpg)
BINDkeymanagement
• InBIND9.7thereisanewkeymangementfeature– (P)ublishist=0– (A)cZvateist=1– (I)nacZvateist=2– (D)eleteist=3
July21,2010 [email protected] 29
![Page 30: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/30.jpg)
ExperienceinUSandBIZ
• USsignedinDecember2009,openforDSrecordsinJune2010
• BIZbegansigningJuly2010
• BothzonesareusingNSECbecausethereisnoreasontouseNSEC3– ZonescanberetrievedviaFTP– Wearen'tconcernedaboutsize
July21,2010 [email protected] 30
![Page 31: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/31.jpg)
MypersonalTLDsurvey
• IhaveascriptthatasksforDNSKEYfromthedelegaZonsintherootandinARPA– Skewedbytestzonesintheroot– ARPAincludese164.ARPAandothersignedzones
• AsofearlyJuly,24"real"TLDsaresigned– Iusethisonlyforsanitychecking,notreliableasameasureofoverallDNSSECadopZon
– Youwillseereferenceto"41"‐thatincludestestzonesandARPAzones
July21,2010 [email protected] 31
![Page 32: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/32.jpg)
KeyRoles
• WeuseKSK/ZSK– Becauseourparentisslow(theroot),noautomaZcupdateinterfaceandnoquickturnaround
– Weplantochangekeysfrequently
• Survey,40outof41useKSK/ZSK– Butthatisn'tsurprisingasweallthinkalike
• Singlekeyuse– Workablebutinmyopinion,nottooscaleable
July21,2010 [email protected] 32
![Page 33: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/33.jpg)
KeyAlgorithm
• Nocryptosystemisimposed(bylaw)sowechoosewhatseemsbest
• Fromthe41signedzonesintherootplusARPAalluseRSA– 9zonesuseRSA‐SHA256,restuseRSA‐SHA1
• RecommendaZon– Unlessyoumustuseanalgorithmforlegalreasons,chooseRSA‐SHA256
• Don'tstartwithRSA‐SHA1(NSECorNSEC3!)July21,2010 [email protected] 33
![Page 34: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/34.jpg)
KeySizes
• WehavestucktothecommonwisdomofaKSKof2048andaZSKof1024bits
• Survey"themostcommonsetup"
July21,2010 [email protected] 34
![Page 35: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/35.jpg)
KeyLifeZme
• KeyeffecZvity– 1KbitZSK‐3months
– 2KbitKSK‐1year• Ourparameters– ZSKpublishedasaemergencykeyfor3months,signsfor3months
– KSKispublishedfor1yearastheemergencyand1yearastheacZve(DSatroot)
– TTLis6daysJuly21,2010 [email protected] 35
![Page 36: DNSSEC Key Management Policy · 2010-07-28 · Key Management July 21, 2010 ed.lewis@neustar.biz 3 • I learned a lot by reading US NIST documents – I am not sure if the same exist](https://reader034.vdocuments.mx/reader034/viewer/2022042121/5e9bfedabeb9b420767ffbe5/html5/thumbnails/36.jpg)
RFC5011support
• WeplantosupportRFC5011– ButinrealitywecouldjustrelyontherootzonetohavetheDSrecord
– Asasafetymechanism,wepublishourkeysetonawebsite,soRFC5011supportisagoodthing
• NoclearrecommendaZononRFC5011– Neededifparentisnotsigned– Probablynotifsigned
July21,2010 [email protected] 36