[dnssec-deployment] Filling the IANA ITAR
Mark Andrews
marka at isc.org
Thu Oct 29 18:16:29 EDT 2009
> i ask for the obvious self serving reason that if there's no secure way to
> get these keys then we (ISC) cannot put them into DLV (http://dlv.isc.org/)
> since we do not and will not key-scrape. but i'm also genrally curious --
> what's the point of signing a tld zone if you're not going to publish keys,
> and if the root isn't signed yet, why not use some other key distribution
> method first?
There is a secure way, look up the DS records and translate. Subtract
the DLV TTL (dlv_ttl) from the DS TTL (ds_ttl) and re-verify before
(ds_ttl - dlv_ttl) expires. I'm not saying we should do this but
it is possible.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the Dnssec-deployment
mailing list