[Dnssec-deployment] shutting down the ITAR

Olafur Gudmundsson ogud at ogud.com
Tue Aug 3 09:44:43 EDT 2010

On 02/08/2010 7:14 PM, Jim Reid wrote:
> On 2 Aug 2010, at 22:42, Kevin Oberman wrote:
>> Since we have no firm dates for the signing and acceptance of trust
>> anchors for lots of domains (including .com and .net), I think it's
>> rather premature to be scheduling the end of the ITAR.
> I agree it's premature to announce a date for closing down the ITAR.
> However that doesn't mean there shouldn't be a discussion about how and
> when to do that. IIRC the documentation for the ITAR did include an exit
> strategy.

I disagree, it is fine time to announce when the ITAR will take 
following steps:
	a. Stop accepting new registations
	b. Stop accepting updates to existing registrations
	c. Stop being available

All TLD's that are not currently signed SHOULD only add their DS records 
to the root when the TLD is signed.
ITAR was a deployment aid, the only reason for it to be still in use is
the fact that not all TLD's in the ITAR have added DS's to the root.

> FWIW https://itar.iana.org/instructions says the ITAR "will be
> decommissioned once the root zone is signed". There have been many
> public statements about this too. Well, the root is signed => ITAR is in
> the departure lounge. So it's not premature to discuss how to close down
> the ITAR.
> Perhaps the most likely scenario will be that whenever TLDs rollover
> their KSKs, the new ones will just go directly into the root -- OK their
> DS records will go there -- and the ITAR gradually fades away? Maybe it
> would have some value as a historical archive of the TLD keys used by
> early adopters from the days before the root was signed.
> I'm not sure if unsigned TLDs will need the ITAR now that the root is
> signed. It might help a little when transitioning to a signed TLD. ie
> Let consenting adults do validation for the TLD against a trust anchor
> from the ITAR prior to "going live" with DS records for the TLD in the
> root. That incremental approach might well become less popular with
> increased experience of DNSSEC deployment in TLDs.

If the ITAR does not announce decommisioning plan with dates it will 
never fade away!!!


More information about the Dnssec-deployment mailing list