SV: [dnssec-deployment] dot MUSEUM implemented DNSSEC

Anne-Marie Eklund-Löwinder Anne-Marie.Eklund-Lowinder at iis.se
Fri Sep 19 07:09:10 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to highlight Steve's remark. .SE for instance uses our DNSSEC Policy and Practice Statement (DPS) to describe the routines of verification, .SE’s routines and the overall key management in .SE. The purpose is to make it possible for others to decide what trust they are willing to put on .SE’s DNSSEC key management and administration. Self-evidently we would like the level of responsibility to be percieved as reasonable of any partner involved, and one of the things stated in the DPS is that .SE take no responsibility for the subdomains keys or the administration thereof.

It is reasonable to believe that same approach is preferable when we turn to IANA passing the keys upward.

Best regards,

Anne-Marie Eklund Löwinder
Quality & Security Manager
.SE (The Internet Infrastructure Foundation)




> -----Ursprungligt meddelande-----
> Från: DNSSEC deployment 
> [mailto:dnssec-deployment at shinkuro.com] För Steve Crocker
> Skickat: den 19 september 2008 12:36
> Till: DNSSEC deployment
> Kopia: Steve Crocker; Mats Dufberg Jour Telia-Skanova
> Ämne: Re: [dnssec-deployment] dot MUSEUM implemented DNSSEC 
> 
> Mats,
> 
> How would you apply your reasoning after the root is signed?  
> Suppose the root were signed and IANA accepted keying 
> information from each of the TLDs.  And suppose .MUSEUM 
> forwarded its key to IANA just as it is doing -- or about to 
> do -- today.  I assume every resolver will treat all the keys 
> in the root with equal credibility.  Are you expecting IANA 
> to impose some conditions on the keys it accepts from the TLD 
> operators?  If so, what rules do you want them to follow?
> 
> Unless there are some specific rules put in place, it seems 
> to me that each zone operator will be creating its own key 
> under its own policies and passing them upward to its parent. 
>  This is the same as how other zone information, e.g. NS 
> records, are handled.
> 
> Thanks,
> 
> Steve
> 
> 
> 
> 
> On Sep 19, 2008, at 5:22 AM, <Mats.Dufberg at teliasonera.com> 
> <Mats.Dufberg at teliasonera.com> wrote:
> 
> >>     The fact that things like this are starting to happen
> >> *without* us
> >>     hearing about it ahead of time is a very good sign.  The
> >>     fact we're
> >>     getting TLDs going forward without "is this safe"
> >>     questions preceding it
> >>     is good.
> >>
> >> Not saying anything and just doing it is a way of findig 
> out whether 
> >> this is safe :-).
> >
> > Well, I do not really agree. If you do not say anything and do not 
> > have information around DNSsec few will trust the TLD, i.e. 
> few will 
> > add the a trust anchor for it. Nobody will discover if the 
> DNSsec is 
> > broken if nobody tries to validate it.
> >
> > Signing the zone is just part of the game. Until root is 
> signed, a TLD 
> > must make sure it has clear documentation around its key 
> handling and 
> > make resolvers trust its keys.
> >
> >
> > Mats
> >
> > ------------------------------------------
> > Mats Dufberg
> > TeliaSonera
> > BBS P&P VAS/Internet
> > +46-70-2582588
> > mats.dufberg at teliasonera.com
> > ------------------------------------------
> >
> > #############################################################
> > This message is sent to you because you are subscribed to
> >   the mailing list <dnssec-deployment at shinkuro.com>.
> > To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> > A public archive is available here: <http://mail.shinkuro.com:8100/ 
> > Lists/dnssec-deployment/> and older material is at 
> > <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
> 
> 
> #############################################################
> This message is sent to you because you are subscribed to
>   the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: 
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>
> 
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wj8DBQFI04hWpdzwAUKxz5QRAgypAJ9IBg+902DiGyQyg/JK7zTOObe+ugCfcOYG
J6JTDEsEbnPMxJpqk4oEh6M=
=evmf
-----END PGP SIGNATURE-----



More information about the Dnssec-deployment mailing list