On 20 Feb 2019, at 13:29, Tony Finch wrote:
However there has to be a bootstrap mechanism, and the only one available is for the validator vendor to provide an initial key set.
If it can provide an initial key set, it can also provide a current key set. See below :)
I agree that rollovers need to be routine (I think annual makes sense) but they have to be planned with software releases in mind.
I strongly disagree. Users have a trust relationship that everything is built on already - that with their software vendors. For most people, that is ‘Debian’ or ‘CentOS’ or perhaps ‘Microsoft’. Debian already ships a dns-root-data package that contains the current root trust anchors. This package is updated outside of any release schedules imposed by ISC, PowerDNS, NLnetlabs, etc. I understand that the RedHat/CentOS/Fedora side of things also has plans for this, or maybe has done this meanwhile. Please build on that relationship. It’s all we need. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/