Kim,
could the ITAR have a serial number that could be checked without
having to download and parse the whole file, to enable quick checks
from consumers of the ITAR information that would not overwhelm either
end of the communication?
Joao
PS: or even, could it be published as a DNS zone of some name, with a
TLL and an SOA?
On 14 Sep 2009, at 18:01, Kim Davies wrote:
Hi Mark,
On 11/09/09 4:47 PM, "Mark Andrews" <ma...@isc.org> wrote:
Publish new DNSKEY, publish new DS, wait at least the max TTL of
the old DS/DNSSKEY TTLs. Remove old DS, remove old DNSKEY.
The same thing should be happening with ITAR. Publish new DNSKEY,
publish new DS, wait the prescribed period for the trust achors to
be updated, remove old DS, remove old DNSKEY.
At the moment no one knows how long to wait as you havn't told
anyone what that period should be.
Are you suggesting ITAR needs to add TTLs, or ITAR should be somehow
technically enforce sufficiently long overlap periods, or should just
provide rules that TLD operators are expected to abide by?
The assumption right now is it is for the TLD operators to act
responsibly
and make changes as appropriate. ITAR is just an oblivious
republisher of
data that they have submitted, and has subsequently verified is
genuine. It
seems to me the problems you describe are ones of encouraging best
practice
amongst TLD operators, rather than a specific defect in ITAR.
Kim
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
