[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]
Frederico A C Neves
fneves at registro.br
Wed Aug 4 11:16:07 EDT 2010
On Wed, Aug 04, 2010 at 04:29:07PM +0200, Mats.Dufberg at teliasonera.com wrote:
> > From: dnssec-deployment-bounces at dnssec-deployment.org
> > [mailto:dnssec-deployment-bounces at dnssec-deployment.org] On
> > Behalf Of João Damas
> > Sent: den 4 augusti 2010 16:17
> (...)
> > As for the ITAR, the cost is minimal, the question should be
> > more whether is useful or not. The protocol is defined in a
> > way such that instead of a single delegation from parent to
> > child, with DNSSEC you have two and they need not match
> > thanks to the idea of "islands of trust".
> > IMHO, the ITAR is a nice out-of-band checkpoint for data, in
> > particular if you see item 1 above, so if anything, the ITAR
> > would seem to be useful and all TLDs ought to be encouraged
> > to use it independently of whether the root is signed or not.
>
> The ITAR was created because the root zone was not signed and it has
> no role to play anymore. It could, however, be useful to have the DS
> record being published somewhere else besides in the zone file. The
> natural place is the zone management site that IANA
> administrates. There you can find the NS record, and as I see it,
> the DS record together with the NS records is the delegation for a
> DNSsec signed zone. E.g. http://www.iana.org/domains/root/db/bg.html
IANA whois server is already providing this.
> whois -h whois.iana.org bg
% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object
domain: BG
...
nserver: NS-BG.RIPE.NET 193.0.12.34
nserver: NS-EXT.VIX.COM 204.152.184.64
nserver: NS.REGISTER.BG 192.92.129.99
nserver: NS2.REGISTER.BG 193.68.3.232
nserver: NS3.REGISTER.BG 94.155.14.10
nserver: SUNIC.SUNET.SE 192.36.125.2 2001:6b0:7:0:0:0:0:2
ds-rdata: 46846 5 1 1D83F503CCED4A4B6F7F8DB1CF43D38F9133A3EA
ds-rdata: 46846 5 2 26811E459C850F50A85D1EAF589E30DC14D09D1A6E6262E8D36B6BFFC605334C
whois: whois.register.bg
...
> Mats
Fred
More information about the Dnssec-deployment
mailing list