[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]
joao at bondis.org
Wed Aug 4 10:16:42 EDT 2010
On 4 Aug 2010, at 15:43, Peter Koch wrote:
> On Wed, Aug 04, 2010 at 02:36:00PM +0100, Chris Thompson wrote:
>> It's not quite clear to me why anyone would trust ICANN-with-IANA-ITAR-
>> -hat-on, but not ICANN-as-holder-of-the-root-KSK (at least to the same
> because the role "holder-of-the-root-KSK" has little influence over the content
> of the zone (by definition).
In fact, does the IANA get to check that the end result of the root generation process (including signing) has the changes that IANA requested to begin with? That is, does the requester get to check the zone before it gets published?
As for the ITAR, the cost is minimal, the question should be more whether is useful or not. The protocol is defined in a way such that instead of a single delegation from parent to child, with DNSSEC you have two and they need not match thanks to the idea of "islands of trust".
IMHO, the ITAR is a nice out-of-band checkpoint for data, in particular if you see item 1 above, so if anything, the ITAR would seem to be useful and all TLDs ought to be encouraged to use it independently of whether the root is signed or not.
More information about the Dnssec-deployment