[dnssec-deployment] Filling the IANA ITAR
mlarson at verisign.com
Thu Oct 29 04:11:46 EDT 2009
On Wed, 28 Oct 2009, Bill Manning wrote:
> w/o comment, it was noted that .UK has zero intenet to support RFC
> 5011, will not publish their keys on a website, won't put them in
> the ITAR or dlv.
I didn't mention it during my presentation about .com/.net, but
VeriSign is not implementing RFC 5011 semantics for KSK rolls in .com
and .net, nor will they be separately published anywhere--no web page,
no newspaper ads, etc. There will be DS records in the root and trust
in .com/.net is the intended to start at the root. If someone
configures those keys as trust anchors, well, that's unfortunate
because validation is going to fail at some point.
> mroe interesting for those ITAR-smitten. There is no plan to move
> the ITAR into the root zone. Folks who want their DS records in the
> root zone will have to submit them -after- the root gets signed.
> There is no plan to automatically remove data from the ITAR when the
> DS records are added to the root zone.
> This last leads me to beleive that there will be a raft of
> inconsistencies as folks forget to pull old data out of the ITAR -
> or to scrub those DLV registries that import form the ITAR.
> Richard or Matt, if you could clarify, I would be most greatful
The ITAR is an IANA functions issue, so I cannot comment on it.
More information about the Dnssec-deployment