> Le 9 oct. 2023 à 19:30, George Michaelson <g...@algebras.org> a écrit :
Thanks for constructive comments. appreciated. > > I wonder if some kind of "limited licence local signing key" model > could be used, to get a signed permit from a "real" TA in the DNS to > specify the zone(s) that a limited licence key could use, with a far > longer than normal time over the rights signing. Because we don't want > inflated lifetimes/validity intervals at large, but you probably need > something which can sustain the long delay component here. I understand your point and looks interesting to look at, but can this idea be done using current DNSSEC? Or is this something that need to developed? > > The absence of repudiation in this model (which was conscious and > deliberate as I understand it, rejecting CRLs) means there's no easy > mechanism to say "I changed my mind" over long lived things. > > Long ago, Australia operated a national DNS model which had a 9600 > "dns & ntp only, munnari mostly" link behind it, which allowed one > node to sync and certify into the root. It wasn't formal, it was self > policed, and it pre-dated widescale IP connectivity (from memory, 3 or > 4 universities in Melbourne plus the CSIRO had access) -which meant we > could get on with using IP in a local context but remain connected to > the namespace through a thin long wire. I'm not sure it actually had > any advantage over a periodic re-sync from a zone state, other than > being 'the IPv4, just a bit constrained' > > This isn't the only proposal in name to address processes I’ve been looking for prior art but was not been able to find some, which should in my book include DNSSEC. > which harks > back to HOSTS.TXT, I am sure others have (it may be I have been > reading other things in the same space about interplanetary internet) Maybe you are reading what I wrote in the recent paper published by IPNSIG on interplanetary internet ;-) > -And maybe the way forward is to focus on the complete zone, and > signed states (ZONEMD?) over the complete zone which could establish > trust, and not demand new/different TA structures? Can you elaborate? Regards, Marc. > > -G > > On Mon, Oct 9, 2023 at 5:18 AM Marc Blanchet <marc.blanc...@viagenie.ca> > wrote: >> >> Hello, >> The primary use case of this draft is the deployment of naming >> infrastructure on celestial bodies networks, but could be applied for other >> use cases. >> >> Would love to get people reviews and comments. >> >> Marc. >> >> Début du message transféré : >> >> De: internet-dra...@ietf.org >> Objet: New Version Notification for >> draft-many-dnsop-dns-isolated-networks-00.txt >> Date: 8 octobre 2023 à 15:16:10 HAE >> À: "Marc Blanchet" <marc.blanc...@viagenie.ca> >> >> A new version of Internet-Draft draft-many-dnsop-dns-isolated-networks-00.txt >> has been successfully submitted by Marc Blanchet and posted to the >> IETF repository. >> >> Name: draft-many-dnsop-dns-isolated-networks >> Revision: 00 >> Title: Domain Name System in Mostly Isolated Networks >> Date: 2023-10-08 >> Group: Individual Submission >> Pages: 7 >> URL: >> https://www.ietf.org/archive/id/draft-many-dnsop-dns-isolated-networks-00.txt >> Status: >> https://datatracker.ietf.org/doc/draft-many-dnsop-dns-isolated-networks/ >> HTML: >> https://www.ietf.org/archive/id/draft-many-dnsop-dns-isolated-networks-00.html >> HTMLized: >> https://datatracker.ietf.org/doc/html/draft-many-dnsop-dns-isolated-networks >> >> >> Abstract: >> >> This document lists operational methods to enable local DNS name >> resolving on an isolated network, where that network have >> intermittent reachability to Internet and/or have very long delays, >> disabling the real-time query and response flow to the authoritative >> name servers on Internet. >> >> >> >> The IETF Secretariat >> >> >> >> _______________________________________________ >> DNSOP mailing list >> DNSOP@ietf.org >> https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
