[dnssec-deployment] dot MUSEUM implemented DNSSEC

Steve Crocker steve at shinkuro.com
Fri Sep 19 06:35:57 EDT 2008 

Mats,

How would you apply your reasoning after the root is signed?  Suppose  
the root were signed and IANA accepted keying information from each  
of the TLDs.  And suppose .MUSEUM forwarded its key to IANA just as  
it is doing -- or about to do -- today.  I assume every resolver will  
treat all the keys in the root with equal credibility.  Are you  
expecting IANA to impose some conditions on the keys it accepts from  
the TLD operators?  If so, what rules do you want them to follow?

Unless there are some specific rules put in place, it seems to me  
that each zone operator will be creating its own key under its own  
policies and passing them upward to its parent.  This is the same as  
how other zone information, e.g. NS records, are handled.

Thanks,

Steve




On Sep 19, 2008, at 5:22 AM, <Mats.Dufberg at teliasonera.com>  
<Mats.Dufberg at teliasonera.com> wrote:

>>     The fact that things like this are starting to happen  
>> *without* us
>>     hearing about it ahead of time is a very good sign.  The
>>     fact we're
>>     getting TLDs going forward without "is this safe"
>>     questions preceding it
>>     is good.
>>
>> Not saying anything and just doing it is a way of findig out whether
>> this is safe :-).
>
> Well, I do not really agree. If you do not say anything and do not  
> have
> information around DNSsec few will trust the TLD, i.e. few will add  
> the
> a trust anchor for it. Nobody will discover if the DNSsec is broken if
> nobody tries to validate it.
>
> Signing the zone is just part of the game. Until root is signed, a TLD
> must make sure it has clear documentation around its key handling and
> make resolvers trust its keys.
>
>
> Mats
>
> ------------------------------------------
> Mats Dufberg
> TeliaSonera
> BBS P&P VAS/Internet
> +46-70-2582588
> mats.dufberg at teliasonera.com
> ------------------------------------------
>
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

More information about the Dnssec-deployment mailing list