[dnssec-deployment] Filling the IANA ITAR
roy at dnss.ec
Mon Nov 2 06:34:24 EST 2009
On Oct 29, 2009, at 2:53 PM, Paul Vixie wrote:
>> From: Ray.Bellis at nominet.org.uk
>> Date: Thu, 29 Oct 2009 09:20:16 +0000
>> It's signed-root only, as per the presentation actually given.
> can you say why?
There are several reasons why we chose this strategy:
Assume the point from when the root is signed, and its trust anchor
configured in validators.
On ICANN's ITAR:
If those validators configure the UK trust anchor via automatically
fetching the ITAR, BIND and UNBOUND (iirc) will validate only against
the most specific trust anchor ("CLOSEST", instead of "ANY"). If that
fails, resolution fails under that trust anchor. Hence, the stability
is now dependent on the frequency of fetching the ITAR, which is
outside of ICANN's or Nominet's control. This is related to the "ANY"
or "CLOSEST" discussion on trust-paths that re-surfaced recently on
the IETF's DNSEXT mailing list.
We also are uncomfortable with having our trust-anchors published in
DLV. We noticed the issue with the trust-anchors for .PR published in
ISC's DLV. Since there was no relationship between ISC and .PR, .PR
did not notify ISC. PR did update the ITAR, though the timeliness of
that was heavily discussed, just like the frequency of ISC's polling
of the ITAR. If we actively sought to have our trust-anchors published
in DLV, we can manage the timeliness of it all ourselves, however that
defines yet another channel to manage our trust anchors. Subsequently,
we can roll our trust-anchor only as fast as the slowest participating
partner. (this is no value judgement on ISC or ICANN)
One point I'd like to make clear is that the "CLOSEST" strategy used
by implementers, requires publishers to carefully judge the anchors
they publish against what is currently published in the DNS already.
As an example: ITAR should only contain trust anchors for which there
are no DS records in a signed root, and it should contain the trust
anchors for the signed root as well.
Obviously, we will not see a completely signed root (with DS records
for TLD's) before 1st July 2010. We will use the time between between
the signed UK and signed root to get acquainted with the channel that
IANA is developing to communicate trust anchors.
Meanwhile, we strongly recommend against any tomfoolery by alternative
publication schemes with our trust-anchors.
More information about the Dnssec-deployment