[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]

Chris Thompson cet1 at cam.ac.uk
Wed Aug 4 09:36:00 EDT 2010

On Aug 4 2010, David Conrad wrote:

>So, one of the theories that popped up after the ITAR was deployed
>was that due to US DoC involvement in root zone changes (but not
>ITAR changes) some countries might not be interested in putting
>their trust anchor in the root whereas they'd be OK with putting
>their trust anchor in the ITAR. I'm not sure this theory has been

It's not quite clear to me why anyone would trust ICANN-with-IANA-ITAR-
-hat-on, but not ICANN-as-holder-of-the-root-KSK (at least to the same
extent). After all, it is possible to extract DS records from the
signed root zone and convert them into manually configured trust
anchors, in just the same way as from the (differently) signed ITAR.

On Aug 4 2010, Mark Andrews wrote:

>In the rush to close down the ITAR you are also cutting off all the
>validators that don't support RSASHA256.  The ITAR provides a secure
>path to learn the trust anchors of the non RSASHA256 signed TLD's
>for those validators.

Again, one could use an RSASHA256-capable set of tools to extract
the relevant DS records and and turn them into trust anchors to
use in an only-RSASHA1-capable nameserver configuration. It wouldn't
be quite as convenient as the ITAR, admittedly.

What you would be losing, though, is the validity periods listed
in the ITAR. But it's notable that the XML version doesn't include
them, and that's surely the one that is used in automated trust
anchor generating systems.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the Dnssec-deployment mailing list