[dnssec-deployment] Nominet position paper about Signing the Root.
regnauld+dnssec at catpipe.net
Tue Dec 4 03:34:03 EST 2007
Michael StJohns (mstjohns) writes:
> If you want multiple entities to be responsible for the signatures on the root zone - use the appropriate technology. Threshold signatures will work without any changes to any of the end system and will make the root signatures dependent on more than just the root zone owner without any of the problems you would encounter with multiple signatures.
So what's the threshold here ?
I think the most likely scenario that needs to be addressed is that
failure (for technical or operational reasons) for one party (IANA)
to sign the root should not stop operation of the root. But if IANA
refuses to sign the zone, but Verisign accepts, is that good enough ?
etc... Can we have a threshold to be a combination of "if not this sig,
then at least these other two" ? We're quickly moving away from
technical incapability into the realm of policy issues and associated
More information about the Dnssec-deployment