At 12:35 -0700 9/8/09, David Conrad wrote:
Correct me if I'm wrong, but the architecture of DNSSEC assumed (rightly or wrongly) a single hierarchical deployment model.
Ok, if I must. DNSSEC does not assume a single hierarchical deployment model. If it did, there would not be a reason to identify the signer in the RRSIG. (Archeological evidence also includes - 2065 was DNSSEC I, 2535 was DNSSEC II, but it was not until RFC 3008 that the recommendation was made to have the authorization to sign data follow the tree.)
The short version of why RFC 3008 came about was that we found it too hard for our meager research effort to define a policy language (to express acceptable signatures for data) and implement it in the BIND 8 we were hacking to support the dream of a fully general authorization model. Mind you, the dreams then were fueled by researcher more in with the security crowd than with the DNS crowd.
(I do remember many strawman models I worked up, one that I visualized with a chain of paper clips. Yes, basic research.)
ISC has now thrown a non-hierarchical component to deployment, DLV, into the mix.
ISC has exercised the principle of "local policy overrides" all. DLV is perfectly within the heart of the soul of DNSSEC.
I should acknowledge that I am not a fan of DLV. I am a little fearful of it. There are many things about it I don't like. Still, what it is attempting to do is within limits.
It isn't particularly surprising that this has an impact on DNSSEC operations. Perhaps the solution is to not use DLV?
I'm not one to throw stones, considering I live in a glass house (albeit the glass is still covered by plywood), but one "solution" regarding DLV by ISC is to continue to stamp out the evil operations gremlins. I don't mean to pick, but ISC's operational expertise is mostly in the operation of F root, not in operating a provisioning registry. 20-20 hindsight, it's now apparent that in (say) January 2009, ISC had a lot to learn ahead of it. (I'm not going to make any statement about their operations chops now.)
As current US politics empirically prove, it is NEVER too late for weeping and wailing.
What would impress me is a proposal to sign the root zone that included a real good look at the provisioning interface as well as an OT&E. For instance, promise me a response to a DS change in a matter of hours or minutes, not a day.
PS - To date we have more operational experience with DLV than a signed root. More and more I will know what to anticipate when rolling DNSSEC out the door, at least as far as DLV is concerned.
-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 As with IPv6, the problem with the deployment of frictionless surfaces is that they're not getting traction. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
