[staff] [local-ir at ripe.net]signing the roots
- Next message (by thread): views in bind9
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Andrei Robachevsky
andrei at ripe.net
Tue Apr 22 16:01:05 CEST 2003
Dear colleagues,
At the DNS-WG at the last RIPE meeting (RIPE 44) Johan Ihren presented
his proposal for an interim scheme for signing the public DNS root. The
current version of this Internet-Draft is:
draft-ietf-dnsop-interim-signed-root-01.txt
The full text of this Internet-Draft can be found at:
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-interim-signed-root-01.txt
In the Internet-Draft, a mechanism has been proposed for a first stage
of a transition from a unsigned DNS root to a signed root, such that the
data in the root zone is accompanied by DNSSEC signatures to allow
validation. The process of doing this involves the use of a set of
operator keys which are signed by one key signing key, sometimes
referred to a "master key". It has been further proposed that these key
signing keys be managed by the Regional Internet Registries (RIRs).
The proposal states the requirements of the RIRs would be to:
* establish a secure out-of-band communication path in collaboration
with the signing operators which will be used for authenticated exchange
of the unsigned keyset.
* periodically generate strong keys using a good random number
generator
* manage their keys (i.e. use them for signing the operator keyset
and keeping the private key appropriately secret)
Question:
Since this Internet-Draft suggests future action by the RIRs, the RIPE
community should discuss this issue and provide feedback to the author.
Therefore, the following question is asked:
Is this a task that should be performed by the RIPE NCC?
Please direct your feedback to dns-wg at ripe.net mailing list.
Regards,
Andrei Robachevsky
CTO, RIPE NCC
- Next message (by thread): views in bind9
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]