[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]

Frederico A C Neves fneves at registro.br
Wed Aug 4 11:16:07 EDT 2010

On Wed, Aug 04, 2010 at 04:29:07PM +0200, Mats.Dufberg at teliasonera.com wrote:
> > From: dnssec-deployment-bounces at dnssec-deployment.org 
> > [mailto:dnssec-deployment-bounces at dnssec-deployment.org] On 
> > Behalf Of João Damas
> > Sent: den 4 augusti 2010 16:17
> (...)
> > As for the ITAR, the cost is minimal, the question should be 
> > more whether is useful or not. The protocol is defined in a 
> > way such that instead of a single delegation from parent to 
> > child, with DNSSEC you have two and they need not match 
> > thanks to the idea of "islands of trust".
> > IMHO, the ITAR is a nice out-of-band checkpoint for data, in 
> > particular if you see item 1 above, so if anything, the ITAR 
> > would seem to be useful and all TLDs ought to be encouraged 
> > to use it independently of whether the root is signed or not.
> The ITAR was created because the root zone was not signed and it has
> no role to play anymore. It could, however, be useful to have the DS
> record being published somewhere else besides in the zone file. The
> natural place is the zone management site that IANA
> administrates. There you can find the NS record, and as I see it,
> the DS record together with the NS records is the delegation for a
> DNSsec signed zone. E.g. http://www.iana.org/domains/root/db/bg.html

IANA whois server is already providing this.

 > whois -h whois.iana.org bg
 % IANA WHOIS server
 % for more information on IANA, visit http://www.iana.org
 % This query returned 1 object

 domain:       BG
 nserver:      NS-BG.RIPE.NET
 nserver:      NS-EXT.VIX.COM
 nserver:      NS.REGISTER.BG
 nserver:      NS2.REGISTER.BG
 nserver:      NS3.REGISTER.BG
 nserver:      SUNIC.SUNET.SE 2001:6b0:7:0:0:0:0:2
 ds-rdata:     46846 5 1 1D83F503CCED4A4B6F7F8DB1CF43D38F9133A3EA
 ds-rdata:     46846 5 2 26811E459C850F50A85D1EAF589E30DC14D09D1A6E6262E8D36B6BFFC605334C

 whois:        whois.register.bg

> Mats


More information about the Dnssec-deployment mailing list