On Sep 8, 2009, at 1:19 PM, Edward Lewis wrote:
Correct me if I'm wrong, but the architecture of DNSSEC assumed
(rightly or
wrongly) a single hierarchical deployment model.
Ok, if I must. DNSSEC does not assume a single hierarchical
deployment model. [...] but it was not until RFC 3008 that the
recommendation was made to have the authorization to sign data
follow the tree.)
Are you saying that 3008 has been deprecated? If so, why the big
stink about signing the root?
ISC has now thrown a non-hierarchical component to deployment, DLV,
into
the mix.
ISC has exercised the principle of "local policy overrides" all.
Yep. If you decide to shoot yourself in the head, that's up to you.
What I object to is tying the ability of zone managers to roll a key
to you putting the gun to your temple.
DLV is perfectly within the heart of the soul of DNSSEC.
Heart and soul? Seriously? Then perhaps it shouldn't be
informational and the implementation should conform to the spec (or
vice versa).
DLV is a bletcherous hack that should not exist and I publicly
apologize to the world for mentioning its predecessor to Paul. Mea
culpa. Of course, one of the reasons I dropped it was that after
thinking about it, I realized that it wouldn't scale and had
stunningly bad operational and deployment characteristics if it ever
gained any sort of following.
If you want DLV to be a long-standing component of the DNS
infrastructure, I'd suggest:
- get the RFC out of informational and into standards track
- get somebody to implement the RFC (or, alternatively, document what
has been implemented)
- figure out some way of propagating changes to potentially numerous
unrelated DLV registries
Still, what it is attempting to do is within limits.
And within the limits of local policy, that's fine. What is simply
broken is having that local policy have global impact.
What would impress me is a proposal to sign the root zone that
included a real good look at the provisioning interface as well as
an OT&E. For instance, promise me a response to a DS change in a
matter of hours or minutes, not a day.
Did you provide these comments to NTIA? Have you provided comments to
IANA staff regarding potential improvements to the ITAR?
PS - To date we have more operational experience with DLV than a
signed root. More and more I will know what to anticipate when
rolling DNSSEC out the door, at least as far as DLV is concerned.
There are multiple DNSSEC testbeds. Are you making use of them?
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
