[Dnssec-deployment] Dropping IANA ITAR entries [was: KSK rollover in .cz]

Peter Koch pk at ISOC.DE
Wed Aug 4 12:32:17 EDT 2010


On Wed, Aug 04, 2010 at 04:49:00PM +0200, Ond??ej Surý wrote:

> data source doesn't have any real benefit.  If there is a compromise 
> then the TAs will be changed at both places.

the theory behind this IIRC was less a compromise but a deliberate action
to, say, not publish certain keys/TAs (which can be viewed as an integrity
compromise).  However, that's not for the role of the KSK holder to
monitor.

> But it does make sense for registries to publish their DS on their 
> secure webpages (signed by PGP) as they did it before with DNSKEYs.

What sense do you really see it make?  How would you make sure this
is not read as encouraging manual TA configurations (involving rollover
hassles and the likes)?

-Peter


More information about the Dnssec-deployment mailing list