Re: [DNSOP] Key Management and Provisioningl was Re: .PR ...

Fri, 11 Sep 2009 08:40:09 -0700 


On 11 Sep 2009, at 17:07, Roy Arends wrote:


On Sep 10, 2009, at 11:09 PM, Paul Wouters wrote:


On Thu, 10 Sep 2009, David Conrad wrote:
Again, I am not objecting to people using DLV. I think it is ucky, but that's just me. What I am objecting to is the suggestion made here that _before a TLD that has submitted its keys to the ITAR rolls its keys, it must notify the (potentially multiple?) folks who run a DLV registry, of which the TLD may have no knowledge, who have harvested ITAR data and wait_. That's just crazy talk.
A TLD should do due diligence. I mean, its their core business. Its the 
ONLY thing they should do right. Make sure theit zone file works.
Paul. their zone file works. has worked. DLV was the problem. PR has nothing to do with it. Stop blaming PR. 

Not DLV, but ISC's DLV management, to be specific.
As for .pr, they ought to update their keys with the IANA as soon as they put them in the zone, perhaps even earlier if the ITAR allows for deferred publication (whatever the IANA ends up doing I hope deferred publication is in the system requirements, independently of how the key is made visible to the world)
Even when this issue was found, they could have easilly added their old 
key to the zone to ensure DLV would work until it got updated.

Arguing there might be 15 unknown DLV's is kind of beside the point.
Reality is, there is only on DLV they need to worry about.
I'd recommend that domain holders who do NOT want their dnskey (or hashed derivative) end up in some DLV, copyright their public keys. I also recommend that, when submitting TLD DNSKEYS to IANA, IANA allows option that the keys will NOT be published in their ITAR and solely be distributed via the root zone (in that 6 month period when both exist).
Well, I hope not. In fact I hope the ITAR never goes away and I have a means of cross checking the info the IANA has and publishes directly against what ends up in the root zone. I also hope they are the same all the time, but it is just nice to be able to check what things look like when they enter the pipeline and when they come out. 

Joao
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to