[dns-operations] Online DNSSEC debugging tool now availalbe

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Jul 19 20:08:17 UTC 2010

On Mon, Jul 19, 2010 at 03:31:32PM -0400, Joe Abley wrote:
> On 2010-07-19, at 13:35, bmanning at vacation.karoshi.com wrote:
> >> Because .org rolled their key, changed the DS in ., and didn't publish
> >> a new TA?
> > 
> > 	sounds irresponsible to me.
> I don't understand this. We've heard from numerous TLDs for whom a DS record in the root zone *is* the method they choose to publish a trust anchor. Some of them have been waiting for the root before signing their zones precisely because they didn't want to publish their trust anchor in any other way. Others published their trust anchors in other ways as an interim measure.
> Are you saying you think there are TLDs who have made the conscious decision to support multiple methods of trust anchor publication, root zone and elsewhere? Who are they?
> Joe

	what I said was that it seems irresponsible to me for an entity to change is crypto
	tokens and _NOT_ tell everyone they had previously shared those tokens with. 

	If I understand the specific case you lay out, if a TLD has only shared its crypto tokens
	with one party, then when they change the tokens, there is only a single party to update.

	if an entity ceases to use a given channel, they should notify folks that that channel
	is no longer valid.

	e.g.  if  .KIWI-LOVERS  has been using the ISC/DLV service while waiting for the root
	to be signed, they should tell ISC to remove their entry.

	If Bills_Hope+Change_Bank runs RFC 5011 and distributes its Key to its clients and to 
	its parent, then I would expect that when BH+CB changes its tokens, it would notify its 
	clients and its parent there are  crypto tokens.  Only telling one of those parties 
	seems irresponsible.

	but that is just my POV.  

More information about the dns-operations mailing list