[dnssec-deployment] meeting announcement: 18 June 2008

Mats.Dufberg at teliasonera.com Mats.Dufberg at teliasonera.com
Tue Jun 10 16:22:03 EDT 2008

> From: vixie at vix.com [mailto:vixie at vix.com] On Behalf Of Paul Vixie
> Sent: den 10 juni 2008 21:57
> > I'm convinced that RFC 5011 can make the difference for the DNSsec
> > deployment in the world.
> > 
> > Mats
> as the operator of a big DNS resolver in Sweden, that's a 
> sensible view,
> since most of your users in sweden and many of the secure 
> names they want
> to look up are in a signed TLD (.SE).
> for those of us whose parent domain (.COM) isn't signed, RFC 
> 5011 does not
> look like it's going to make much difference for DNSSEC 
> deployment in the
> world.  i hope you can visualize this difference in perspective.

I've not done any counting of the domain names that our customers do
look up of via our resolvers, but I'm sure that .COM has the largest
share. Our customers also want them to be validated.

I'm not against DLV, even though I see it as a "hack". I've suggested a
DLV for TLD's, but that DLV should be run in contract with the TLD's and
by a body that could not be questioned. RIPE or IANA could be the
operator of such a DLV. 

A DLV for .COM domain names must be run by the .COM Registry, or we
would never trust it. If Verisign sets a DLV up for .COM, we will take a
look at it and asked them if they will be RFC 5011 compliant. If someone
else runs a DLV for .COM they will never be able to keep the holder of
the DNSsec key synchronized with the holder of the domain name. And we
will never add that to our resolvers.

When .COM is signed, when root is signed, we will still need some means
of keeping the trust anchors synchronized with the KSK's, and that is
where RFC 5011 comes in. We will need RFC 5011 for ever, DLV could help
us for a short while.


Mats Dufberg
BBS P&P VAS/Internet
mats.dufberg at teliasonera.com

More information about the Dnssec-deployment mailing list