Apologies for using a meaningful Subject: header....
On 10 Sep 2009, at 22:09, Paul Wouters wrote:
A TLD should do due diligence. I mean, its their core business. Its
the
ONLY thing they should do right. Make sure theit zone file works.
True. Now please suggest how someone can perform that due diligence in
circumstances where there are unknown (to them) actors between how
they sign the zone and how others may or may not verify those
signatures.
Even when this issue was found, they could have easilly added their
old
key to the zone to ensure DLV would work until it got updated.
That's not the issue. [Let's leave aside the bizarre logic of "after
you've had your heart transplant, keep the old, diseased one handy in
case you might have to go back to it one day"."] Anyone lodging keys
with the ITAR has no formal knowledge whatsoever over who is slurping
data from the ITAR or what they might be doing with that data. Or who
depends on whatever flavour of the month trust anchor that third party
may have constructed. AFAICT there are no (service level) agreements
underpinning these arrangements.
Rather than consider this in the abstract, let's now look at the
specifics.
Is there an agreement between .pr and IANA about the ITAR? Probably. I
don't know. Does anyone retrieving data from the ITAR have an
agreement with IANA covering that? I very much doubt it. Has ISC
told .pr "Be informed we're slurping your keys from the ITAR and
feeding them to our DLV engine. This happens once a day/week/whatever.
Bear this in mind if you ever roll a key"? I doubt it. Is there an
agreement or written understanding between .pr and ISC on how both
parties will behave wrt publishing or rotating .pr's keys? Probably
not. IIUC ISC provides its DLV service under a best-efforts, hold
harmless basis and there are no agreements between ISC and those using
its DLV service.
So is it any surprise that Bad Things happen if a zone signer has to
take into account someone else's processes and procedures that they
don't know anything about whenever they do a key rollover?
Reality is, there is only on DLV they need to worry about.
Prove it.
FYI, there have been occasional postings on bind-users about how to
use and set up DLV. So some people have been playing with it. They
might even have it working behind a campus/corporate firewall.
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
