This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] root zone signing

Previous message (by thread): [dns-wg] root zone signing
Next message (by thread): [dns-wg] Re: root zone signing

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter Koch pk at DENIC.DE
Tue Oct 21 17:34:36 CEST 2008

On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote:

> IMO, there's no "lawyer stuff" here. At least as far as signing the  
> root is concerned. All that's happening is some TLD presents its KSK,  
> IANA verifies that key and then causes a signature over that key to be  
> generated. Which pretty much means that IANA is saying "we assert that  
> this was the TLD KSK that we checked": nothing more.

IMHO it is important to emphasize that the semantics are in the DS RR, not in
the RRSIG(DS).  The latter only authenticates the (technically authoritative)
DS RR in the parent zone.  At least in theory, one could start to publish
DS RRs without signing them.

-Peter

Previous message (by thread): [dns-wg] root zone signing
Next message (by thread): [dns-wg] Re: root zone signing

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]