[dns-operations] .ORG DS in root zone
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Sun Jul 25 20:30:13 UTC 2010
On Sun, Jul 25, 2010 at 10:32:51AM +0200, Edward Lewis wrote:
> At 5:51 +0000 7/24/10, <bmanning at vacation.karoshi.com> wrote:
>
> > well... what is the policy here? perhaps PIR wants
> > folks to have access to their TA directly. recommending
> > a course of action w/o understanding the intended policy
> > seems a bit dubious to me.
>
> This is a case of forgetting that DNSSEC is about protecting the
> cache and not protecting the source of the information.
>
> "What is the policy here?" Local policy rules.
>
> It's not what $operator (=PIR here) "wants" it is how does the cache
> protect itself.
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis
in the end, yes. However, if $operator has a published policy on
how it expects to expose its TA and then, if cache operators local
policy is in conflict w/ $operator policy (thus overriding $operator
policy) -- then when $operator makes a change that is not promptly
reflected in cache operators linkedlist, then cache operator has
no legitimate recourse to complain. Operation of a cache with
a policy that is in conflict w/ $operators policy REQUIRES eternal
vigilance to try and keep things in lockstep.
--bill
More information about the dns-operations
mailing list