[dns-wg] root zone signing

On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote:
> 
> I appreciate that some people will feel that legal agreements are an  
> unavoidable consequence of signing. However that's a matter between  
> the each TLD (and its government?) and those co-ordinating the root.  
> There are no technical grounds for parent and child zones to have a  
> legal agreement underpinning their use of DNSSEC. So if a TLD wants to  
> have a signed delegation, they can do that with or without an  
> agreement or anything that could be viewed as an acceptance of the way  
> the root is managed today. If a TLD doesn't want to have a signed  
> delegation, then they don't have to. Nobody's being compelled to do  
> anything they don't want.

	well... as Lutz has demostrated, its often difficult to 
	have a signed delegation and also be able to restrict whom
	picks up your DNSKEY and plops it into their version of the parent
	delegation.

> All that's happening is some TLD presents its KSK,  
> IANA verifies that key and then causes a signature over that key to be  
> generated. Which pretty much means that IANA is saying "we assert that  
> this was the TLD KSK that we checked": nothing more.

	perhaps, if one buys into the argument that there is only a
	single parent.  the .RU folks may want their signed data to
	only follow the JIMREID-root-o-ultimate-correctness and not
	appear at all in those fly-by-night outfits (PACROOT, ORSN,
	ICANN & RS.NET)  ...  harvesting DNSKEYS seems to be a 
	very lightweight means of "asserting that this was the TLD-KSK
	that we checked".

> Likewise, they may  
> well need to consult widely inside Russia before submitting a KSK  
> for .ru to the signed root, if that was in place.

	DNSKEY harvesting is a means to avoid having a formal
	means to submit your data to your parent ... any/everyone
	can pick it up and claim your ancestry.  

--bill