[Working for a TLD, so I believe I understand the problem of interacting with the root, with the local Internet community, etc.]
On Fri, Sep 11, 2009 at 09:42:06AM +0100, Jim Reid <j...@rfc1035.com> wrote a message of 55 lines which said: > Now please suggest how someone can perform that due diligence in > circumstances where there are unknown (to them) actors If dlv.isc.org is an unknown actor to a DNSSEC-signed TLD, they indeed have a big problem! The best proof that there was *no* "due diligence" is that on the very own Web site of ".pr", they still publish the old key <http://dnssec.nic.pr/serverconf.php>. Can you blame DLV, ISC or an unknown actor for that? I fully agree with Paul Wouters here: the responsability of a TLD manager is to make sure it works. Not to blindly follow a procedure. When you deploy a new name server, you test it from many places, you don't just publish the route with BGP, you test with many unknown actors that it does work. > Has ISC told .pr "Be informed we're slurping your keys from the ITAR > and feeding them to our DLV engine. This happens once a > day/week/whatever. Bear this in mind if you ever roll a key"? I > doubt it. Currently, almost no one (outside of this mailing list) uses DNSSEC. Yet, you say that there are people in this very small community that are not aware of dlv.isc.org and not aware that it mirrors ITAR? Come on. >> Reality is, there is only on DLV they need to worry about. > > Prove it. There is today only one big DLV registry. If you know others, please inform the community, it is an important thing to know. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
