ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt

2007-08-29 15:26:38
from [Mark Andrews] [Permanent Link] 


    The alternative is to direct IANA to collect, maintain and
    distribute this information to the DLV operators in the
    absence of a signed root.  This would give a trusted path
    for data entry into the general DLV trees.




I don't see why the information would be distributed only to DLV
operators.  Asking IANA to publish this data on a suitably updated
web page for the information of the community would enable
both  DLV operators to use it as well as anyone who wanted to
configure those trust anchors without DLV.  As others have put this,
a trust anchor registry outside the DNS may retain the basic
mechanisms of DNSSEC better, while allowing folks to move past the
current issues with a signed root.

The underlying issue, of course, is how many TLD operators would
publish in a trust anchor registry if it is made available; hopefully
enough to provide convincing evidence that a signed root will
be worth the operational issues around protecting the keying
material.  I'm more worried that providing this registry (whether
in DLV form or some other form) will either delay work on
signing the root or that the response will be so anemic that folks
will *assume* it would be similarly anemic in the case of signed root.

In order of priority, in other words, my personal preferences are:
sign the root, put up a trust anchor registry outside the DNS, feed
the data to external DLVs, and set up a new DLV.


        The DLV operators only need this information up until the
        root is signed.  Once the root is signed the root's DLV will
        go in and these will be removed.

        That reminds me.  I should add a log message when we use the
        root's DLV record.  It's a indication that it is time to
        add the root keys to the configuration file.
 

                      regards,
                              Ted

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews(_at_)isc(_dot_)org

_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IPv6 RIR policy [was Re: IPv6 addresses really are scarce after all], David Conrad
Next by Date:  Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt, David Conrad
Previous by Thread:  Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt, Ted Hardie
Next by Thread:  Re: Last Call comment on draft-weiler-dnssec-dlv-iana-00.txt, David Conrad
Indexes:  [Date] [Thread] [Top] [All Lists]