On 11 Sep 2009, at 14:35, Paul Wouters wrote:
If you install a nameserver on Fedora 11 or never, it comes with TLD
keys preloaded and DLV enabled.
Yawn.
What are you calling "minimal"?
The dictionary definition will do. Or, failing that, a percentage of
the people using a specific release/variant of a Linux distro. Which
is a percentage of the installed base of that distro. Which is a
percentage of the overall Linux distros. Which is a small-ish
percentage of the devices connected to the Internet. Seems fairly
minimal to me. Your mileage may of course vary.
Are you suggesting that if a TLD makes a big mistake, we the
internet people are to blame for any government consequences?
No. I'm saying that if we, the Internet experts, make a half-assed job
of putting processes and procedures in place around important Internet
infrastructure, someone one day is going to come along take the toys
away and provide adult supervision. Making the odd mistake is not the
problem. We're all human after all. Not having transparent mechanisms
for resolving those problems or minimising their impact is an issue.
Suppose a government cared about DNSSEC, do you think they'be be happy
for their ccTLD key(s) to go into a DLV registry without some kind of
agreement or understanding between the ccTLD, the DLV registry and
perhaps even the government itself? Or let's re-ask that question in a
different context. If you were responsible for a TLD would you be
happy for its keys to end up passing from the ITAR to some DLV
repository where they could be used for who knows what without you
having any influence over that? [Like only checking the ITAR for new
keys once in a blue moon.] Hint: if others used an explicit TA for
your TLD, DNS resolution/validation for your TLD won't depend on the
DLV registry or its DNS infrastructure. And if there's a problem
there's a binary answer: either you screwed up the signing or the
other guy got the TA wrong. If DLV was involved, the path would be
longer and murkier.
But the community is in no position to dictate procedure nor being
the party to assign blame to when things go wrong.
You haven't understood what I said. So let me repeat it Paul. I am not
blaming anyone or looking to apportion blame. I am not trying to
dictate procedure either: just that there should be procedure(s). I am
saying that if TLD keys go into the ITAR and from there into some DLV
registry (or whatever), there need to be agreements documenting how
this works, the respective roles and responsibilities and how the
parties to that agreement interact with each other, particularly for
things like rollovers or emergency problem resolution. The actual
mechanics of that are not procedures or processes dictated from above:
they're worked out between the parties involved.
Hey it's not like we're in the 1990's when few TLDs had agreements
with whoever provided slave service for their zone, is it?
If someone claims there is no other DLV, then the onus on them is
to prove that.
Ever heard about Betrand Russels tea pot around Mars argument?
Of course. But IMO its you who's making an assertion about the
existence of that teapot (a single DLV registry) orbiting Mars. Let's
not waste time debating whether there's more than one teapot up there.
It's a distraction from the real issues.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
