Re: [DNSOP] DLVs and ITAR

Mon, 14 Sep 2009 12:09:43 -0700 

At 14:45 -0400 9/14/09, David Blacka wrote:


I think it works to simply say this:

  * The ITAR should be checked for changes once per 24 hour period.

Then:
* consumers (e.g., dlv.isc.org, me) will know to check at least once per day; 
  * TLD operators would know to pre-publish the new DS at least 24 hours
    before doing the KSK roll.


Plus an allowance for TTLs.
It's a bit more complicated I think, unless I missed a fine point in the message.
To nit pick: "TLD operators would know to pre-publish the new DS" is incorrect per se - the DS set for a zone is authoritative at the parent.
When I want to change a SEP, first I plan to have it in my DNSKEY set for a long enough period to satisfy at least RFC 5011 and the time it takes for all caches to time out all DNSKEY set versions prior to the new SEP-to-be.
Next I add the new SEP signature to the DNSKEY set and ask the parent to change the DS record in my DS RRSet. Change means take out the old and put in the new (per algorithm/etc.). I don't remove anything at this point.
I don't think the parent's TTL considerations matter because I am placing two SEP's in to play while waiting. As soon as I see the new DS record appear in the zone (and the old DS gone), I start a timer based on my TTL for the DNSKEY set. Once that timer expires I RFC5011-revoke the old SEP (and sign the whole key set with old and new SEP key).
According to RFC 5011 rules I then remove the old SEP and any signature at the appropriate time.
As it is, I don't expect any TLD operator to have any idea of how long they must pre-publish, nor any consumer to know how often to poll IANA for any changes.
Polling is suboptimal when an event is anticipated but it is a good catch all to avoid missing an event notification. 

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to