[dnssec-deployment] SEPs and TARs
scottr at nist.gov
Wed Apr 1 08:49:35 EDT 2009
Edward Lewis wrote:
> Getting to what I wanted to say about SEPs and TARs, from the
> perspective of someone who will be issuing SEPs (at some point in the
> 1) Before I go into production mode, I want to test the impact of my
> SEPs in what ever TARs I believe "matter." (What is meant by "matter"
> I'll leave to your imagination for the time being.)
The .gov TLD tried to do this, but settled on not publishing the SEP key
to a TAR (the ITAR in this case) until some basic testing was done and
upper management signed off on it.
> 2) In general, I'll take any means to prevent any third party from
> preventing the validation of data in my TLD(s) that should otherwise
> pass muster. This is a goal, I realize it is not possible to cover all
> bases, but I would be remiss if I don't try to the best of ability.
> 3) If I encounter a TAR that causes validation for some of the relying
> parties out there, I will take steps to prevent that TAR from
> redistributing my SEP. I.e., like maybe ask nicely.
Luckily most people operating crawlers (or just querying) asked first,
otherwise the .gov TLD operators would have to have done the same.
> 4) If there is a systemic problem in deploying DNSSEC, and the problem
> doesn't quite outweigh the reasons to deploy, I will arm my help desk
> with answers to the questions ("why can't I resolve .tld names?") that
> we will get. This is why I want to drill into any outage we encounter now.
>From what I have heard, .gov and .mil both have programs in place to
assist their respective help desk operators field DNSSEC related
questions. I've been thinking of this at times - I know there could be
some tools for help desk staff to diagnose some DNSSEC problems except
for the fact that there is not a good way to discover what trust anchors
are being used by a remote validator. This goes to your #4 below.
> Those are plans I have for the time being. Other TLDs may adopt similar
> goals - in fact - I would like to hear other's goals that I might want
> to adopt.
> Before closing, requirements I would place on TARs include the following:
> 1) Provide a test environment for SEP provisioning and the resulting
> impact on relying parties
> 2) Only redistribute SEP information with the expressed consent of the
> SEP owner
> 3) Provide an interactive interface for the provisioning (submission to
> TAR) of SEP data
Sounds like #2 and #3 go together. Domain holders submit SEP key
material to a TAR, and need a way to do so.
> 4) Allow relying parties to identify the TAR from which they obtained
> the SEP, to help in debugging
I think this requirement should be a higher priority. Not sure how best
to address it right now, but thinking about it.
Scott Rose Computer Scientist
ph: +1 301-975-8439
scott.rose at nist.gov
More information about the Dnssec-deployment