On Sep 11, 2009, at 7:58 PM, joao damas wrote:
On 11 Sep 2009, at 17:54, Roy Arends wrote:
On Sep 11, 2009, at 5:40 PM, joao damas wrote:
On 11 Sep 2009, at 17:07, Roy Arends wrote:
I'd recommend that domain holders who do NOT want their dnskey
(or hashed derivative) end up in some DLV, copyright their public
keys. I also recommend that, when submitting TLD DNSKEYS to IANA,
IANA allows option that the keys will NOT be published in their
ITAR and solely be distributed via the root zone (in that 6 month
period when both exist).
Well, I hope not. In fact I hope the ITAR never goes away and I
have a means of cross checking the info the IANA has and publishes
directly against what ends up in the root zone.
I also hope they are the same all the time, but it is just nice to
be able to check what things look like when they enter the
pipeline and when they come out.
There can be private channels for debugging, no? Would you want
that viewable publicly by any DLV cowboys?
why not? I don't really care what people do in their spare time.
Private channels for debugging is a "silly" idea. Private to whom?
are some of us more equal than others?
1) for .INFO, you want only Afilias to be able to add or change the DS/
DNSKEY in the ITAR. Yes?
2) Subsequently, before it is published in the root, you'd like to see
if it is correct. Yes?
3) after publication, just use dig (tm) to see what things look like
when they come out.
At least for Nominet, I want (2) to do cross-checking, be able to
check what things look like before they enter the pipeline, preferably
using the same channel as (1). Before I push the 'publish' button, I
want to check it in private. After I push the publish button, its in
the root, and world can check it with me, using dig.
If some folks, just as equal as I am, with a lot more spare time, have
that urge to publish my key, just because they can, but synch only
once a week with the ITAR, and then point the finger at me for not
telling them I changed my key 4 days ago, I'd tell them to Just Go Away.
roy
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop