In message
<AANLkTikni86AOABGKIB1_jOeQe0Ou4swpGrS8H1MbmrQ(_at_)mail(_dot_)gmail(_dot_)com>,
Phil
lip Hallam-Baker writes:
Being able to verify signatures is of no value.
The system only has value when you can act differently according to
whether the signature verifies or not.
I keep asking, but nobody will tell me how I get the keys for my
domains into the TLD.
Firstly you get DS records into the TLD not DNSKEY records. Secondly
it is/will be by a mechanism similar to how you get NS records into
the TLD. In other words go ask your registrar when they are going
to support adding DS records and stop complaining here.
This is not a technological problem. It is a business problem
between you, your registrar and the registry.
This is not a trivial issue. There is a question of liability to be
addressed. So far ICANN and VeriSign Registry Services have addressed
the issue by booting it down the chain. But the system as a whole
cannot work until there is someone willing to accept the liability and
for that to happen they are going to require tools to manage their
litigation risk.
How is the liability different from that of accepting NS records?
DS records don't magically change the liability. Stuffing up either
NS or DS records will break the delegation.
Does anyone know of a dotcom registrar offering key signing?
Or is the big plan here that everyone who is not going to accept
liability keep complaining about how far behind the registrars are
until they are forced to act?
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf