[dnssec-deployment] DLV or not

[Robert Martin-Legene]

2005/9/21, Sam Weiler <weiler+lists.dnssec-deploy at watson.org>:
> I'd really appreciate hearing more specific details of what you think
> is missing from this document:
>
> http://www.watson.org/~weiler/dlv/draft-weiler-dnssec-dlv-pre00.txt

Hello Sam.

I think the whole DLV discussion has left out something. I haven't
mentioned it before because I thought it was obvious and everyone just
accepted it as the way it had to be. Never the less, I feel it must be
mentioned - at least so we are all on the same page.

Let's assume that a TLD registry (e.g. bv.) hasn't yet deployed DNSSEC
and there is a DLV broker who is so successful as to get onlyice.bv.
as customer. They exchange handshakes, keys and green paperslips. All
is good. But two weeks later the TLD registry for whatever reason
change the registrant/owner of onlyice.bv. to some other entity...

How is the TLD registry supposed to signal this to $X number of DLV brokers?

Aren't the DLV brokers supposed to find this out by themselves?

How can the brokers really know what they get from querying the TLD
name servers is actually from the registry?

What MUST the broker do in a case where the public and unsecured name
server for bv. seemingly points to some new set of name servers?

I think this is essential to be addressed or you will undermine the
authority of the TLD registries which dont run DNSSEC, and people will
lose confidence in the DLV's overall.

You may say it's out of the scope of your document, but in that case I
think another document is needed, which focuses on the
not-100%-resolver based problems.

-- robert, .dk

(did I spell "lose" right David?) :-)