Re: [dns-wg] DNSSEC Policy Development Process

[Jim Reid <]

> http://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html
> To a layman, the meaning of DLV can't be tracked down. A reference
> missing?
Thanks for your comments Marcos.

I personally think the reference to DLV needs to be replaced with  
something more generic. IIUC, so far nothing has been openly  
published about Domain Lookaside Validation and the code supporting  
it in BIND9.3 doesn't work. It may be that production quality DLV  
never sees the light of day or that some other (ad hoc?) mechanisms  
emerge for establishing DNSSEC trust anchors. And since the NCC is  
supposed to be neutral, it shouldn't be seen to be favouring one  
technique/kludge over another. [Even though nothing else like DLV  
seems to be on the horizon at present.] And since the authors of DLV  
hope this scheme would be short-lived, it may not be a good idea to  
explicitly mention DLV in a policy document. Whenever DLV died or got  
superseded, the document would need to be updated if it mentioned DLV.

So from that perspective, it may be better if the text in the  
proposal was made more generic. Perhaps it should say something like  
"The NCC would consider publishing its KSKs in appropriate registries  
that may emerge to facilitate the establishment of DNSSEC trust  
anchors"?

Another suggestion: how about establishing a trust anchor for .arpa  
and have the NCC's KSKs signed by that? This might help the other  
RIRs to sign their reverse trees or allow DNSSEC to spread into the  
IPv6 and ENUM worlds.

Any comments?