Hi Mark, On 11/09/09 4:47 PM, "Mark Andrews" <ma...@isc.org> wrote: > > Publish new DNSKEY, publish new DS, wait at least the max TTL of > the old DS/DNSSKEY TTLs. Remove old DS, remove old DNSKEY. > > The same thing should be happening with ITAR. Publish new DNSKEY, > publish new DS, wait the prescribed period for the trust achors to > be updated, remove old DS, remove old DNSKEY. > > At the moment no one knows how long to wait as you havn't told > anyone what that period should be.
Are you suggesting ITAR needs to add TTLs, or ITAR should be somehow technically enforce sufficiently long overlap periods, or should just provide rules that TLD operators are expected to abide by? The assumption right now is it is for the TLD operators to act responsibly and make changes as appropriate. ITAR is just an oblivious republisher of data that they have submitted, and has subsequently verified is genuine. It seems to me the problems you describe are ones of encouraging best practice amongst TLD operators, rather than a specific defect in ITAR. Kim _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
