This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] root zone signing
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Mon Oct 20 20:34:52 CEST 2008
On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote: > > I appreciate that some people will feel that legal agreements are an > unavoidable consequence of signing. However that's a matter between > the each TLD (and its government?) and those co-ordinating the root. > There are no technical grounds for parent and child zones to have a > legal agreement underpinning their use of DNSSEC. So if a TLD wants to > have a signed delegation, they can do that with or without an > agreement or anything that could be viewed as an acceptance of the way > the root is managed today. If a TLD doesn't want to have a signed > delegation, then they don't have to. Nobody's being compelled to do > anything they don't want. well... as Lutz has demostrated, its often difficult to have a signed delegation and also be able to restrict whom picks up your DNSKEY and plops it into their version of the parent delegation. > All that's happening is some TLD presents its KSK, > IANA verifies that key and then causes a signature over that key to be > generated. Which pretty much means that IANA is saying "we assert that > this was the TLD KSK that we checked": nothing more. perhaps, if one buys into the argument that there is only a single parent. the .RU folks may want their signed data to only follow the JIMREID-root-o-ultimate-correctness and not appear at all in those fly-by-night outfits (PACROOT, ORSN, ICANN & RS.NET) ... harvesting DNSKEYS seems to be a very lightweight means of "asserting that this was the TLD-KSK that we checked". > Likewise, they may > well need to consult widely inside Russia before submitting a KSK > for .ru to the signed root, if that was in place. DNSKEY harvesting is a means to avoid having a formal means to submit your data to your parent ... any/everyone can pick it up and claim your ancestry. --bill
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]