The alternative is to direct IANA to collect, maintain and
distribute this information to the DLV operators in the
absence of a signed root. This would give a trusted path
for data entry into the general DLV trees.
I don't see why the information would be distributed only to DLV
operators. Asking IANA to publish this data on a suitably updated
web page for the information of the community would enable
both DLV operators to use it as well as anyone who wanted to
configure those trust anchors without DLV. As others have put this,
a trust anchor registry outside the DNS may retain the basic
mechanisms of DNSSEC better, while allowing folks to move past the
current issues with a signed root.
The underlying issue, of course, is how many TLD operators would
publish in a trust anchor registry if it is made available; hopefully
enough to provide convincing evidence that a signed root will
be worth the operational issues around protecting the keying
material. I'm more worried that providing this registry (whether
in DLV form or some other form) will either delay work on
signing the root or that the response will be so anemic that folks
will *assume* it would be similarly anemic in the case of signed root.
In order of priority, in other words, my personal preferences are:
sign the root, put up a trust anchor registry outside the DNS, feed
the data to external DLVs, and set up a new DLV.
The DLV operators only need this information up until the
root is signed. Once the root is signed the root's DLV will
go in and these will be removed.
That reminds me. I should add a log message when we use the
root's DLV record. It's a indication that it is time to
add the root keys to the configuration file.
regards,
Ted
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf