[dnssec-deployment] dnssec automatic trust anchor configuration

Paul Wouters paul at xelerance.com
Mon Mar 12 20:37:35 EDT 2007

On Mon, 12 Mar 2007, Paul Vixie wrote:

> if an isp can prove to a ISC (as a DLV registry operator) that they received a
> DLV RR from the registrant, in the same way that an icann-accredited registrar
> could do, then we'd certainly want to explore a relationship with them.

The point is, customers in general don't care, "just keep my domain running
and safe". Most of them outsource the entire domain hosting/dns to the ISP.
Therefor, the ISP is the entity creating the DLV RR, not the registrant.

This applies to me for 99.9% of the domains at xtdnet.nl.

> > If I want to submit 500 domains for DLV, I really don't want my 100
> > customers to require some kind of relationship with the DLV registry.
> then you'll have to get letters of representation from your customers, or so.

Then forget adoptation by ISP's. My customers don't know what DNSSEC is, and
they don't care, as long as I keep their domain securely running. The last
thing they want is more paperwork (ask nic.nl how well paper works)

> > I want the DLV to verify that I'm the tech-c for these domains and therefor
> > responsible for them and th eresults of putting them into the DLV.
> there is no technical way to do that.  e-mail "from you" could be forged, etc.

I am not saying *I* should not have any relation with the DLV registry. Some
kind of "sec-c" (a la NLnetlabs .nl.nl experiment) would be fine. But if you
require each domain's admin-c to reply back to you, then the DLV will only
get populated by TLD's. That's great for the TLD keys, but sucks for all those
domains that are dnssec capable, but happen to live in the wrong TLD.

A customer with 50 domains is not going to send 50 emails to ISC, even
if I asked them. The only way this is going to happen is through the
tech-c (which is the ISP)

> > For DNSSEC enabled TLD's, I'd rather just configure the proper trusted-keys
> > into my resolver, and skip the DLV altogether? I am confused why anyone
> > would want to copy the .se zone into the dlv?
> you say you want scale, and yet you expect the entire "relier" (ed's word)
> population to manually import each TLD key

I'm sorry, I thought what was proposed was to put all .se domain keys in the
DLV. Sorry.


More information about the Dnssec-deployment mailing list