[dnssec-deployment] meeting announcement: 18 June 2008

Steve Crocker steve at shinkuro.com
Tue Jun 10 16:36:08 EDT 2008 

Mats,

I have trouble believing a TLD operator would set up a DLV but not be  
willing to run DNSSEC.  If the TLD operator were willing to accept DS  
keys from its registrants, either directly or through its registrars,  
and if it were willing to operate a DLV name server, how much less  
work and less commitment is that than simply serving the DS records  
directly?

With that question in mind, I don't understand how it makes sense to  
say the only way you could trust a DLV is if it were run by the TLD  
operator.  That would seem to me to be a stalemate.

There is now a TAR white paper.  Let me ask you to read it and respond.

Thanks,

Steve




On Jun 10, 2008, at 4:22 PM, <Mats.Dufberg at teliasonera.com> wrote:

>> From: vixie at vix.com [mailto:vixie at vix.com] On Behalf Of Paul Vixie
>> Sent: den 10 juni 2008 21:57
> (...)
>>> I'm convinced that RFC 5011 can make the difference for the DNSsec
>>> deployment in the world.
>>>
>>> Mats
>>
>> as the operator of a big DNS resolver in Sweden, that's a
>> sensible view,
>> since most of your users in sweden and many of the secure
>> names they want
>> to look up are in a signed TLD (.SE).
>>
>> for those of us whose parent domain (.COM) isn't signed, RFC
>> 5011 does not
>> look like it's going to make much difference for DNSSEC
>> deployment in the
>> world.  i hope you can visualize this difference in perspective.
>
> I've not done any counting of the domain names that our customers do
> look up of via our resolvers, but I'm sure that .COM has the largest
> share. Our customers also want them to be validated.
>
> I'm not against DLV, even though I see it as a "hack". I've  
> suggested a
> DLV for TLD's, but that DLV should be run in contract with the  
> TLD's and
> by a body that could not be questioned. RIPE or IANA could be the
> operator of such a DLV.
>
> A DLV for .COM domain names must be run by the .COM Registry, or we
> would never trust it. If Verisign sets a DLV up for .COM, we will  
> take a
> look at it and asked them if they will be RFC 5011 compliant. If  
> someone
> else runs a DLV for .COM they will never be able to keep the holder of
> the DNSsec key synchronized with the holder of the domain name. And we
> will never add that to our resolvers.
>
> When .COM is signed, when root is signed, we will still need some  
> means
> of keeping the trust anchors synchronized with the KSK's, and that is
> where RFC 5011 comes in. We will need RFC 5011 for ever, DLV could  
> help
> us for a short while.
>
>
>
>
> Mats
>
> ------------------------------------------
> Mats Dufberg
> TeliaSonera
> BBS P&P VAS/Internet
> +46-70-2582588
> mats.dufberg at teliasonera.com
> ------------------------------------------
>
>
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

More information about the Dnssec-deployment mailing list