Re: [DNSOP] DLVs and ITAR

Fri, 11 Sep 2009 04:20:28 -0700 

On 11 Sep 2009, at 10:48, Stephane Bortzmeyer wrote:


Now please suggest how someone can perform that due diligence in
circumstances where there are unknown (to them) actors


If dlv.isc.org is an unknown actor to a DNSSEC-signed TLD, they indeed
have a big problem!


Stephane, you are picking nits instead of addressing the points I made.

These focus on the fact that there are informal undocumented  
arrangements around the operation of a DLV registry, how and where  
that registry gets its keying material, how that registry publishes  
the info, what its operating practices and service commitments are,  
how others use that DLV registry for validation, what problem  
reporting and escalation procedures are available, etc, etc. These are  
the unknown actors I was referring to.



It appears there was no procedure for .pr to give ISC a heads-up about  
the key rollover. Or for ISC to nudge .pr about the problem caused by  
the changed key. That worries me. It should worry you too.



At one level this is no big deal in the context of minimal DNSSEC  
deployment and only some fraction of that being dependent on  
dlv.isc.org. However we are talking about something that affects core  
Internet infrastructure, namely a TLD. IMO, more care is needed. If  
the Internet people don't do that, there is a strong possibility their  
toys will one day get taken away because governments will decide they  
have intervene to impose order on something that appears to them to be  
(a) important; (b) unsatisfactorily supervised.



Can you blame DLV, ISC or an unknown actor for that?



I am not blaming anyone or seeking to apportion blame. I'm simply  
pointing out that it's not wise for the operation of things like DLV  
to be based on unstated assumptions and goodwill best efforts (however  
noble these things are) instead of documented processes/procedures.



Currently, almost no one (outside of this mailing list) uses
DNSSEC. Yet, you say that there are people in this very small
community that are not aware of dlv.isc.org and not aware that it
mirrors ITAR? Come on.



No I'm not saying that. I am saying that it is not wise to work from  
assumption (correct or otherwise) that dlv.isc.org is the only DLV in  
town.
If someone claims there is no other DLV, then the onus on them is to  
prove that.

_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop



























					Reply via email to