[dns-wg] root zone signing
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Oct 20 20:34:52 CEST 2008
On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote: > > I appreciate that some people will feel that legal agreements are an > unavoidable consequence of signing. However that's a matter between > the each TLD (and its government?) and those co-ordinating the root. > There are no technical grounds for parent and child zones to have a > legal agreement underpinning their use of DNSSEC. So if a TLD wants to > have a signed delegation, they can do that with or without an > agreement or anything that could be viewed as an acceptance of the way > the root is managed today. If a TLD doesn't want to have a signed > delegation, then they don't have to. Nobody's being compelled to do > anything they don't want. well... as Lutz has demostrated, its often difficult to have a signed delegation and also be able to restrict whom picks up your DNSKEY and plops it into their version of the parent delegation. > All that's happening is some TLD presents its KSK, > IANA verifies that key and then causes a signature over that key to be > generated. Which pretty much means that IANA is saying "we assert that > this was the TLD KSK that we checked": nothing more. perhaps, if one buys into the argument that there is only a single parent. the .RU folks may want their signed data to only follow the JIMREID-root-o-ultimate-correctness and not appear at all in those fly-by-night outfits (PACROOT, ORSN, ICANN & RS.NET) ... harvesting DNSKEYS seems to be a very lightweight means of "asserting that this was the TLD-KSK that we checked". > Likewise, they may > well need to consult widely inside Russia before submitting a KSK > for .ru to the signed root, if that was in place. DNSKEY harvesting is a means to avoid having a formal means to submit your data to your parent ... any/everyone can pick it up and claim your ancestry. --bill
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]