I wonder if some kind of "limited licence local signing key" model could be used, to get a signed permit from a "real" TA in the DNS to specify the zone(s) that a limited licence key could use, with a far longer than normal time over the rights signing. Because we don't want inflated lifetimes/validity intervals at large, but you probably need something which can sustain the long delay component here.
The absence of repudiation in this model (which was conscious and deliberate as I understand it, rejecting CRLs) means there's no easy mechanism to say "I changed my mind" over long lived things. Long ago, Australia operated a national DNS model which had a 9600 "dns & ntp only, munnari mostly" link behind it, which allowed one node to sync and certify into the root. It wasn't formal, it was self policed, and it pre-dated widescale IP connectivity (from memory, 3 or 4 universities in Melbourne plus the CSIRO had access) -which meant we could get on with using IP in a local context but remain connected to the namespace through a thin long wire. I'm not sure it actually had any advantage over a periodic re-sync from a zone state, other than being 'the IPv4, just a bit constrained' This isn't the only proposal in name to address processes which harks back to HOSTS.TXT, I am sure others have (it may be I have been reading other things in the same space about interplanetary internet) -And maybe the way forward is to focus on the complete zone, and signed states (ZONEMD?) over the complete zone which could establish trust, and not demand new/different TA structures? -G On Mon, Oct 9, 2023 at 5:18 AM Marc Blanchet <[email protected]> wrote: > > Hello, > The primary use case of this draft is the deployment of naming > infrastructure on celestial bodies networks, but could be applied for other > use cases. > > Would love to get people reviews and comments. > > Marc. > > Début du message transféré : > > De: [email protected] > Objet: New Version Notification for > draft-many-dnsop-dns-isolated-networks-00.txt > Date: 8 octobre 2023 à 15:16:10 HAE > À: "Marc Blanchet" <[email protected]> > > A new version of Internet-Draft draft-many-dnsop-dns-isolated-networks-00.txt > has been successfully submitted by Marc Blanchet and posted to the > IETF repository. > > Name: draft-many-dnsop-dns-isolated-networks > Revision: 00 > Title: Domain Name System in Mostly Isolated Networks > Date: 2023-10-08 > Group: Individual Submission > Pages: 7 > URL: > https://www.ietf.org/archive/id/draft-many-dnsop-dns-isolated-networks-00.txt > Status: > https://datatracker.ietf.org/doc/draft-many-dnsop-dns-isolated-networks/ > HTML: > https://www.ietf.org/archive/id/draft-many-dnsop-dns-isolated-networks-00.html > HTMLized: > https://datatracker.ietf.org/doc/html/draft-many-dnsop-dns-isolated-networks > > > Abstract: > > This document lists operational methods to enable local DNS name > resolving on an isolated network, where that network have > intermittent reachability to Internet and/or have very long delays, > disabling the real-time query and response flow to the authoritative > name servers on Internet. > > > > The IETF Secretariat > > > > _______________________________________________ > DNSOP mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
