[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]

Mats.Dufberg at teliasonera.com Mats.Dufberg at teliasonera.com
Wed Aug 4 10:29:07 EDT 2010

> From: dnssec-deployment-bounces at dnssec-deployment.org 
> [mailto:dnssec-deployment-bounces at dnssec-deployment.org] On 
> Behalf Of João Damas
> Sent: den 4 augusti 2010 16:17
> As for the ITAR, the cost is minimal, the question should be 
> more whether is useful or not. The protocol is defined in a 
> way such that instead of a single delegation from parent to 
> child, with DNSSEC you have two and they need not match 
> thanks to the idea of "islands of trust".
> IMHO, the ITAR is a nice out-of-band checkpoint for data, in 
> particular if you see item 1 above, so if anything, the ITAR 
> would seem to be useful and all TLDs ought to be encouraged 
> to use it independently of whether the root is signed or not.

The ITAR was created because the root zone was not signed and it has no role to play anymore. It could, however, be useful to have the DS record being published somewhere else besides in the zone file. The natural place is the zone management site that IANA administrates. There you can find the NS record, and as I see it, the DS record together with the NS records is the delegation for a DNSsec signed zone. E.g. http://www.iana.org/domains/root/db/bg.html


Mats Dufberg
Senior System Expert DNS
TeliaSonera BBS Networks AP SP Internet
mats.dufberg at teliasonera.com

More information about the Dnssec-deployment mailing list