[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]
João Damas
joao at bondis.org
Wed Aug 4 10:34:16 EDT 2010
sure, the name is the least important part. OOB data availability is the sought feature.
Joao
On 4 Aug 2010, at 16:29, <Mats.Dufberg at teliasonera.com> wrote:
>> From: dnssec-deployment-bounces at dnssec-deployment.org
>> [mailto:dnssec-deployment-bounces at dnssec-deployment.org] On
>> Behalf Of João Damas
>> Sent: den 4 augusti 2010 16:17
> (...)
>> As for the ITAR, the cost is minimal, the question should be
>> more whether is useful or not. The protocol is defined in a
>> way such that instead of a single delegation from parent to
>> child, with DNSSEC you have two and they need not match
>> thanks to the idea of "islands of trust".
>> IMHO, the ITAR is a nice out-of-band checkpoint for data, in
>> particular if you see item 1 above, so if anything, the ITAR
>> would seem to be useful and all TLDs ought to be encouraged
>> to use it independently of whether the root is signed or not.
>
> The ITAR was created because the root zone was not signed and it has no role to play anymore. It could, however, be useful to have the DS record being published somewhere else besides in the zone file. The natural place is the zone management site that IANA administrates. There you can find the NS record, and as I see it, the DS record together with the NS records is the delegation for a DNSsec signed zone. E.g. http://www.iana.org/domains/root/db/bg.html
>
>
> Mats
>
> ------------------------------------------
> Mats Dufberg
> Senior System Expert DNS
> TeliaSonera BBS Networks AP SP Internet
> +46-70-2582588
> mats.dufberg at teliasonera.com
> ------------------------------------------
>
More information about the Dnssec-deployment
mailing list