-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Op 04-03-13 16:02, Joe Abley schreef:
> I think TLD registry operators should remove themselves from the > business of providing quality control over DS RRSets, just as > (most) do with NS RRSets. Such behaviour unnecessarily constrains > technical decisions made by the operators of child zones, acts to > suppress the use of new algorithms and provides no tangible benefit > to child nor parent. And gives room to all the miscreants that want to abuse that as it only gives benefit to the use case of that one child, but a parent has to watch over all his children. We do check NS/DS/whois data, phishing and typo squating, DNS abuse and DDOS attakcs and our constituency also wants us to do that to feel comfortable under our domain. It has proven to create a safer environment. It has little to do with TLD's, it has to do with being a good parent. I'm all for experimenting and innovating. But I'm also for stability and security for the ones that need that. That's also a use case that needs to be supported. So do experiments in your own tree, not affecting the tree others use for stability. Create your own. DNS is perfectly suited to do that without including your parent and all it's other children into your own experiment. I don't see the difference in algorithm adoption when only a DS hash at the parent is to be chosen freely when the parents DNSKEY is stil set by parents policy. A DS is not a SEP, the DNSKEY is. I feel the whole discussion is more emotion than fact. People want to influence what their parent does, as little children asking for a higher allowance. Not realizing that they can be a parent themselves if they want to, but walk away from that responsibility. I think the whole idea of sending a DS to your parent is also historical, and has nothing to do with the model. Because BIND's signing tools creates both your DNSKEY and a DS hash for convenience of experimenting, everybody now thinks he has to do something with that DS, and because you created it it's yours. We started off wrong by accepting DS as parents, we should have started with DNSKEY right away. Other processes need DNSKEY (Secure DNS operator transfers f.e.). - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: [email protected] XMPP: [email protected] HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJRNMoAAAoJEDqHrM883AgnWDsIALwndLWYYaJQExlBRu/aVYEl 9pGNgCDP08si4VbXrArdhrUQ3D/BPj66ybO55p4OF2u8uNOF6IdkguZdFJoXPELm wG7GnYs8CpEJM6nucetP59DOgUOxnZiNJWRfXa53VGzJwpow6B9nI4DTuE0Lnmk1 W4luY+U7TaCGB79sZNAlHiFB8HdRZ0Yx0BoMVDadcX+B90N4QiAQM6jAUpKqhqPa Tv9RDkqGrof0X/fG7gQScD0BbgNox6mjrqc/dEuJAkOE5KUH6nntST5EaMhIX06u bVQAbUtQfzBkMeQI4ZUaHQu6dW4YMNqPpGGgaq5rsAbaSzzkSOxQKWGwB+Ho2a4= =fr1Z -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
