[dns-operations] .ORG DS in root zone

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sun Jul 25 20:30:13 UTC 2010

On Sun, Jul 25, 2010 at 10:32:51AM +0200, Edward Lewis wrote:
> At 5:51 +0000 7/24/10, <bmanning at vacation.karoshi.com> wrote:
> >	well... what is the policy here?  perhaps PIR wants
> >	folks to have access to their TA directly.  recommending
> >	a course of action w/o understanding the intended policy
> >	seems a bit dubious to me.
> This is a case of forgetting that DNSSEC is about protecting the 
> cache and not protecting the source of the information.
> "What is the policy here?"  Local policy rules.
> It's not what $operator (=PIR here) "wants" it is how does the cache 
> protect itself.
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis

	in the end, yes. However, if $operator has a published policy on 
	how it expects to expose its TA and then, if cache operators local
	policy is in conflict w/ $operator policy (thus overriding $operator
	policy) -- then when $operator makes a change that is not promptly
	reflected in cache operators linkedlist, then cache operator has
	no legitimate recourse to complain.  Operation of a cache with 
	a policy that is in conflict w/ $operators policy REQUIRES eternal
	vigilance to try and keep things in lockstep. 


More information about the dns-operations mailing list