[dns-wg] DNSSEC Policy Development Process
Jim Reid jim at rfc1035.com
Tue Aug 23 17:35:09 CEST 2005
> http://www.ripe.net/rs/reverse/dnssec/key-maintenance-procedure.html > To a layman, the meaning of DLV can't be tracked down. A reference > missing? Thanks for your comments Marcos. I personally think the reference to DLV needs to be replaced with something more generic. IIUC, so far nothing has been openly published about Domain Lookaside Validation and the code supporting it in BIND9.3 doesn't work. It may be that production quality DLV never sees the light of day or that some other (ad hoc?) mechanisms emerge for establishing DNSSEC trust anchors. And since the NCC is supposed to be neutral, it shouldn't be seen to be favouring one technique/kludge over another. [Even though nothing else like DLV seems to be on the horizon at present.] And since the authors of DLV hope this scheme would be short-lived, it may not be a good idea to explicitly mention DLV in a policy document. Whenever DLV died or got superseded, the document would need to be updated if it mentioned DLV. So from that perspective, it may be better if the text in the proposal was made more generic. Perhaps it should say something like "The NCC would consider publishing its KSKs in appropriate registries that may emerge to facilitate the establishment of DNSSEC trust anchors"? Another suggestion: how about establishing a trust anchor for .arpa and have the NCC's KSKs signed by that? This might help the other RIRs to sign their reverse trees or allow DNSSEC to spread into the IPv6 and ENUM worlds. Any comments?
[ dns-wg Archives ]