[Dnssec-deployment] shutting down the ITAR
jim at rfc1035.com
Mon Aug 2 19:14:54 EDT 2010
On 2 Aug 2010, at 22:42, Kevin Oberman wrote:
> Since we have no firm dates for the signing and acceptance of trust
> anchors for lots of domains (including .com and .net), I think it's
> rather premature to be scheduling the end of the ITAR.
I agree it's premature to announce a date for closing down the ITAR.
However that doesn't mean there shouldn't be a discussion about how
and when to do that. IIRC the documentation for the ITAR did include
an exit strategy.
FWIW https://itar.iana.org/instructions says the ITAR "will be
decommissioned once the root zone is signed". There have been many
public statements about this too. Well, the root is signed => ITAR is
in the departure lounge. So it's not premature to discuss how to close
down the ITAR.
Perhaps the most likely scenario will be that whenever TLDs rollover
their KSKs, the new ones will just go directly into the root -- OK
their DS records will go there -- and the ITAR gradually fades away?
Maybe it would have some value as a historical archive of the TLD keys
used by early adopters from the days before the root was signed.
I'm not sure if unsigned TLDs will need the ITAR now that the root is
signed. It might help a little when transitioning to a signed TLD. ie
Let consenting adults do validation for the TLD against a trust anchor
from the ITAR prior to "going live" with DS records for the TLD in the
root. That incremental approach might well become less popular with
increased experience of DNSSEC deployment in TLDs.
More information about the Dnssec-deployment