Re: [DNSOP] Key Management and Provisioningl was Re: .PR ...

Fri, 11 Sep 2009 11:27:11 -0700 

On Sep 11, 2009, at 7:58 PM, joao damas wrote:



On 11 Sep 2009, at 17:54, Roy Arends wrote:


On Sep 11, 2009, at 5:40 PM, joao damas wrote:



On 11 Sep 2009, at 17:07, Roy Arends wrote:





I'd recommend that domain holders who do NOT want their dnskey  
(or hashed derivative) end up in some DLV, copyright their public  
keys. I also recommend that, when submitting TLD DNSKEYS to IANA,  
IANA allows option that the keys will NOT be published in their  
ITAR and solely be distributed via the root zone (in that 6 month  
period when both exist).



Well, I hope not. In fact I hope the ITAR never goes away and I  
have a means of cross checking the info the IANA has and publishes  
directly against what ends up in the root zone.
I also hope they are the same all the time, but it is just nice to  
be able to check what things look like when they enter the  
pipeline and when they come out.



There can be private channels for debugging, no? Would you want  
that viewable publicly by any DLV cowboys?


why not? I don't really care what people do in their spare time.
Private channels for debugging is a "silly" idea. Private to whom?
are some of us more equal than others?



1) for .INFO, you want only Afilias to be able to add or change the DS/ 
DNSKEY in the ITAR. Yes?
2) Subsequently, before it is published in the root, you'd like to see  
if it is correct. Yes?
3) after publication, just use dig (tm) to see what things look like  
when they come out.



At least for Nominet, I want (2) to do cross-checking, be able to  
check what things look like before they enter the pipeline, preferably  
using the same channel as (1). Before I push the 'publish' button, I  
want to check it in private. After I push the publish button, its in  
the root, and world can check it with me, using dig.



If some folks, just as equal as I am, with a lot more spare time, have  
that urge to publish my key, just because they can, but synch only  
once a week with the ITAR, and then point the finger at me for not  
telling them I changed my key 4 days ago, I'd tell them to Just Go Away.


roy






_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop


























					Reply via email to