ietf
[Top] [All Lists]

Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt

2007-08-29 09:02:22
      The alternative is to direct IANA to collect, maintain and
      distribute this information to the DLV operators in the
      absence of a signed root.  This would give a trusted path
      for data entry into the general DLV trees.



I don't see why the information would be distributed only to DLV
operators.  Asking IANA to publish this data on a suitably updated
web page for the information of the community would enable
both  DLV operators to use it as well as anyone who wanted to
configure those trust anchors without DLV.  As others have put this,
a trust anchor registry outside the DNS may retain the basic
mechanisms of DNSSEC better, while allowing folks to move past the
current issues with a signed root.

The underlying issue, of course, is how many TLD operators would
publish in a trust anchor registry if it is made available; hopefully
enough to provide convincing evidence that a signed root will
be worth the operational issues around protecting the keying
material.  I'm more worried that providing this registry (whether
in DLV form or some other form) will either delay work on
signing the root or that the response will be so anemic that folks
will *assume* it would be similarly anemic in the case of signed root.

In order of priority, in other words, my personal preferences are:
sign the root, put up a trust anchor registry outside the DNS, feed
the data to external DLVs, and set up a new DLV.

                        regards,
                                Ted

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf