nanog mailing list archives
Re: wrt joao damas' DLV talk on wednesday
From: David Conrad <drc () virtualized org>
Date: Mon, 12 Jun 2006 11:33:28 -0700
Randy, On Jun 12, 2006, at 10:08 AM, Randy Bush wrote:
actually, i suspect that the issues of dlv are exactly those of iana root signing, key management and tld signature policy.
Nope. Oh sure, from a technical perspective, the problems are pretty much the same, but I think they are solvable (if not in a way that will please everyone). However, one of the major layer-9 or above issues having to do with signing the root is "who is going to sign the root", which translates to "who owns the root". The answer, from a political perspective, isn't as obvious as one might wish.
When you push down a layer in the DNS hierarchy, then the layer-9 or above issue becomes _much_ clearer and easier to solve. ccTLD admins and folks like PIR, Verisign, Neustar, etc., have clear and unambiguous authority over their zones (not getting into the argument of whether they should have clear and unambiguous authority) and thus, there is no question who should sign those zones (how is a mere implementation detail).
The problem is, if you push down a layer, you have to figure out how to get the appropriate keying information into the caching server's "trusted-key" (or moral equivalent) statement. I personally think some sort of automated non-DNS out-of-band mechanism would be better than recreating the "who gets to sign X" problem, but there are lots of annoying details to deal with.
and hence dlv is hoisted on the same petard it attempts to avoid, and then devolves to a simple power play of isc vs iana with neither having a good answer to the real technical and security issues.
Can you have a power play when at least one party doesn't play?IANA's role is really easy: people tell us what to do, we try to do it. When somebody tells IANA how to deal with root signing, key management, and tld signature policy, we do what is necessary to implement what is asked of us. Until then, I'm a bemused bystander...
Rgds, -drc
Current thread:
- Re: wrt joao damas' DLV talk on wednesday, (continued)
- Re: wrt joao damas' DLV talk on wednesday Randy Bush (Jun 13)
- Re: wrt joao damas' DLV talk on wednesday Joseph S D Yao (Jun 13)
- Re: wrt joao damas' DLV talk on wednesday Edward Lewis (Jun 13)
- Re: [nanog] Re: wrt joao damas' DLV talk on wednesday Dan Mahoney, System Admin (Jun 14)
- Re: wrt joao damas' DLV talk on wednesday David W. Hankins (Jun 13)
- Re: wrt joao damas' DLV talk on wednesday Michael . Dillon (Jun 12)
- Re: wrt joao damas' DLV talk on wednesday Todd Underwood (Jun 12)
- Re: wrt joao damas' DLV talk on wednesday Randy Bush (Jun 12)
- Re: wrt joao damas' DLV talk on wednesday Todd Underwood (Jun 12)
- Re: wrt joao damas' DLV talk on wednesday Randy Bush (Jun 12)
- Re: wrt joao damas' DLV talk on wednesday David Conrad (Jun 12)
- Re: wrt joao damas' DLV talk on wednesday Paul Vixie (Jun 12)
- Re: wrt joao damas' DLV talk on wednesday william(at)elan.net (Jun 12)
- Re: wrt joao damas' DLV talk on wednesday Paul Vixie (Jun 13)
- Re: wrt joao damas' DLV talk on wednesday Randy Bush (Jun 13)
- howto deploy DNSSEC [was: Re: wrt joao damas' DLV talk on wednesday] Rick Wesson (Jun 13)
- Re: howto deploy DNSSEC [was: Re: wrt joao damas' DLV talk on wednesday] Randy Bush (Jun 13)
- Re: wrt joao damas' DLV talk on wednesday Lucy E. Lynch (Jun 14)
- Re: wrt joao damas' DLV talk on wednesday Michael . Dillon (Jun 14)