In message <a06240801c6cd6fc26...@[10.31.200.192]>, Edward Lewis writes: > At 6:04 -0500 9/9/09, Michael Graff wrote: > > >Perhaps something as simple as "valid until" might be useful > >for an ITAR like thing, but only so long as it comes from the submitter > >of that key. > > ...We take the first step down the path of certificates, X.509, and > that sort of thing. ;) > > We need to be careful. The jargon used for DNSSEC has included > phrases like, "a ZSK should expire in 3 months". DNSKEY RRs do not > have time in them, RRSIG RRs do - and only in there is absolute time > ever apparent inside the DNS (system). If we now attach absolute > times to the presence of records (in this case the DS RR that is the > result), we are introducing a new paradigm. > > What happens when the parent disposes the DS RR at the end of the > key's effectivity date? Will the child know to remove the same > DNSKEY, or at least mark it as revoked in RFC 5011 speak? Do we need > to define a signal mechanism from the parent to child? These are the > kinds of things that need to be thought about thoroughly - and why I > say we need to treat the disease and not the symptoms. > > Brainstorming is good and we do need that, but be aware we need to > arrive at a fully fleshed-out solution. > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Edward Lewis > NeuStar You can leave a voice message at +1-571-434-5468 > > As with IPv6, the problem with the deployment of frictionless surfaces is > that they're not getting traction. > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop
I don't think we need to make ITAR more complicated than it already is as it is intended to go away once the root is signed. Adding a recommendation of daily checks would be a good thing. It would be useful for IANA to send the TLD's that are using ITAR something about this so they become aware of the need to factor in a reasonable rollover period after adding the new key to the ITAR along with a description of what happened when this didn't happen. We can debate reasonable but 2-4 weeks seams to be the right ballpark. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
