On Fri, 11 Sep 2009, Jim Reid wrote:
If dlv.isc.org is an unknown actor to a DNSSEC-signed TLD, they indeed
have a big problem!
Stephane, you are picking nits instead of addressing the points I made.
Uhm no. The above statement is a good summary.
At one level this is no big deal in the context of minimal DNSSEC deployment
and only some fraction of that being dependent on dlv.isc.org.
If you install a nameserver on Fedora 11 or never, it comes with TLD keys
preloaded
and DLV enabled. What are you calling "minimal"?
However we are
talking about something that affects core Internet infrastructure, namely a
TLD. IMO, more care is needed. If the Internet people don't do that, there is
a strong possibility their toys will one day get taken away because
governments will decide they have intervene to impose order on something that
appears to them to be (a) important; (b) unsatisfactorily supervised.
Are you suggesting that if a TLD makes a big mistake, we the internet people are
to blame for any government consequences?
I am not blaming anyone or seeking to apportion blame. I'm simply pointing
out that it's not wise for the operation of things like DLV to be based on
unstated assumptions and goodwill best efforts (however noble these things
are) instead of documented processes/procedures.
TLD's should have an internal documentation process on key rollovers. If they
want to share their documents with the community, even better. But the
community is in no position to dictate procedure nor being the party to assign
blame to when things go wrong.
No I'm not saying that. I am saying that it is not wise to work from
assumption (correct or otherwise) that dlv.isc.org is the only DLV in town.
If there is another DLV Registry in use, those people should better speak
up in the community to make others aware. It's not our job to hunt down
DLV Registries.
Since one can only configure 1 DLV in the two popular nameservers
supporting DLV, it seems unlikely another public DLV is deployed. If someone is
deploying a non-public DLV, they beter be aware that they cannot be notified,
and therefor need a good working active key verification procedure for their
DLV.
If someone claims there is no other DLV, then the onus on them is to prove
that.
Ever heard about Betrand Russels tea pot around Mars argument?
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
