1 / 6

Trust anchor configuration and maintenance

Trust anchor configuration and maintenance. Matt Larson (mlarson@verisign.com) Ólafur Guðmundsson (ogud@ogud.com). Motivations. Certain Trust Anchors need to be distributed out-of-band One universal mechanism is better than many. What to configure for a TA?.

armand-bean
Download Presentation

Trust anchor configuration and maintenance

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trust anchor configuration and maintenance Matt Larson (mlarson@verisign.com) Ólafur Guðmundsson (ogud@ogud.com) DNSOP @ IETF68

  2. Motivations • Certain Trust Anchors need to be distributed out-of-band • One universal mechanism is better than many DNSOP @ IETF68

  3. What to configure for a TA? • Public key of the trust anchor (DNSKEY) • Cryptographic hash (DS) DNSOP @ IETF68

  4. Recommendations • Use DS SHA256 as the TA configuration format. • Perform priming queries on demand and repeat when DNSKEY set expires due to TTL DNSOP @ IETF68

  5. TA Maintenance • Use the timers mechanism promoted by DNSEXT to go forward when possible • Get root key TA via trusted update mechanism (examples) • Software/OS updates • Specialized small software module checks for changes periodically DNSOP @ IETF68

  6. Next Steps • Would like DNSOP to adopt document • Open issues: • Alternate more human friendly hash than DS? • More operational recommendations ? DNSOP @ IETF68

More Related