[dnssec-deployment] Filling the IANA ITAR

Roy Arends roy at dnss.ec
Mon Nov 2 06:34:24 EST 2009

On Oct 29, 2009, at 2:53 PM, Paul Vixie wrote:

>> From: Ray.Bellis at nominet.org.uk
>> Date: Thu, 29 Oct 2009 09:20:16 +0000
>> It's signed-root only, as per the presentation actually given.
> can you say why?

There are several reasons why we chose this strategy:

Assume the point from when the root is signed, and its trust anchor  
configured in validators.


If those validators configure the UK trust anchor via automatically  
fetching the ITAR, BIND and UNBOUND (iirc) will validate only against  
the most specific trust anchor ("CLOSEST", instead of "ANY"). If that  
fails, resolution fails under that trust anchor. Hence, the stability  
is now dependent on the frequency of fetching the ITAR, which is  
outside of ICANN's or Nominet's control. This is related to the "ANY"  
or "CLOSEST" discussion on trust-paths that re-surfaced recently on  
the IETF's DNSEXT mailing list.


We also are uncomfortable with having our trust-anchors published in  
DLV. We noticed the issue with the trust-anchors for .PR published in  
ISC's DLV. Since there was no relationship between ISC and .PR, .PR  
did not notify ISC. PR did update the ITAR, though the timeliness of  
that was heavily discussed, just like the frequency of ISC's polling  
of the ITAR. If we actively sought to have our trust-anchors published  
in DLV, we can manage the timeliness of it all ourselves, however that  
defines yet another channel to manage our trust anchors. Subsequently,  
we can roll our trust-anchor only as fast as the slowest participating  
partner. (this is no value judgement on ISC or ICANN)

One point I'd like to make clear is that the "CLOSEST" strategy used  
by implementers, requires publishers to carefully judge the anchors  
they publish against what is currently published in the DNS already.  
As an example: ITAR should only contain trust anchors for which there  
are no DS records in a signed root, and it should contain the trust  
anchors for the signed root as well.

Obviously, we will not see a completely signed root (with DS records  
for TLD's) before 1st July 2010. We will use the time between between  
the signed UK and signed root to get acquainted with the channel that  
IANA is developing to communicate trust anchors.

Meanwhile, we strongly recommend against any tomfoolery by alternative  
publication schemes with our trust-anchors.

Kind regards,

Roy Arends
Sr. Researcher
Nominet UK

More information about the Dnssec-deployment mailing list