[dns-wg] root zone signing
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Peter Koch
pk at DENIC.DE
Tue Oct 21 17:34:36 CEST 2008
On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote: > IMO, there's no "lawyer stuff" here. At least as far as signing the > root is concerned. All that's happening is some TLD presents its KSK, > IANA verifies that key and then causes a signature over that key to be > generated. Which pretty much means that IANA is saying "we assert that > this was the TLD KSK that we checked": nothing more. IMHO it is important to emphasize that the semantics are in the DS RR, not in the RRSIG(DS). The latter only authenticates the (technically authoritative) DS RR in the parent zone. At least in theory, one could start to publish DS RRs without signing them. -Peter
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]