On 11 Sep 2009, at 20:27, Roy Arends wrote:
1) for .INFO, you want only Afilias to be able to add or change the DS/DNSKEY in the ITAR. Yes?
I want afilias, and only afilias, to tell the IANA and IANA to publish it, yes.
2) Subsequently, before it is published in the root, you'd like to see if it is correct. Yes?
not necessarily before (not me as a user, the publisher might want to see it before). As a consumer of the information, at the same is good enough.
3) after publication, just use dig (tm) to see what things look like when they come out.
you mean after the validator has failed and the phone is red hot?
At least for Nominet, I want (2) to do cross-checking, be able to check what things look like before they enter the pipeline, preferably using the same channel as (1). Before I push the 'publish' button, I want to check it in private. After I push the publish button, its in the root, and world can check it with me, using dig.
I want an out of band channel, just like I can download the root zone using ftp today (only that I would prefer to do it from IANA rather than the rs.internic.net machine)
If some folks, just as equal as I am, with a lot more spare time, have that urge to publish my key, just because they can, but synch only once a week with the ITAR, and then point the finger at me for not telling them I changed my key 4 days ago, I'd tell them to Just Go Away.
and you would be right do so, IMHO. the fact that dlv.isc.org didn't pick up the .pr key is an issue that rest entirely with ISC (then again, we are all learning operational practices in this DNSSEC business at this time)
Joao _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
