[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]

João Damas joao at bondis.org
Wed Aug 4 10:52:59 EDT 2010


On 4 Aug 2010, at 16:49, Ondřej Surý wrote:

> On 4.8.2010 16:34, João Damas wrote:
>> sure, the name is the least important part. OOB data availability is the sought feature.
> 
> But having OOB maintained by the same organization (IANA) as primary data source doesn't have any real benefit.

it does, because I fear the process is not running in a closed loop

>  If there is a compromise then the TAs will be changed at both places.

not necessarily, the process has many stages and it doesn't come back to the originator for verification (or does it?)

> But it does make sense for registries to publish their DS on their secure webpages (signed by PGP) as they did it before with DNSKEYs.


that is inconvenient to say the least.

Joao


More information about the Dnssec-deployment mailing list