[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [dnsext] Trust Anchors

To: namedroppers@ops.ietf.org
Subject: Re: [dnsext] Trust Anchors
From: João Damas <joao@bondis.org>
Date: Tue, 27 Oct 2009 14:10:56 +0100
In-reply-to: <4AE6B245.1060603@nlnetlabs.nl>
References: <B23BFD68-D7E4-47AA-932E-87FED98D4892@nominum.com> <20091026145151.GD55437@shinkuro.com> <p06240811c70b7d2ce4ac@[10.20.30.158]> <4AE6B245.1060603@nlnetlabs.nl>

the operational problem here is, again, that resolver operators don'tnecessarily sync-up with zone producers.

I also think that closest should be the way to go when you have 2 ormore keys that can validate a given signature.

Given this is an operational problem, I believe tweaking the protocolwill never yield a perfect solution and that this sort of situationwould see the users better served by crafting a BCP where, forinstance, the choreography necessary for domain moves betweenregistrars would be listed.The situation when a parent zone becomes DNSSEC enabled (allowing DSrecords to be stored there and signed) might lead to an operationalrecommendation for the child zone producer to keep the keys unchangedfrom the time when the zone was an island, that is: do not roll justbecause your parent became DNSSEC-enabled.


Joao

Follow-Ups:
- registrar transfers (was Re: [dnsext] Trust Anchors)
  - From: Joe Abley <jabley@hopcount.ca>

References:
- [dnsext] Trust Anchors
  - From: Bob Halley <Bob.Halley@nominum.com>
- Re: [dnsext] Trust Anchors
  - From: Andrew Sullivan <ajs@shinkuro.com>
- Re: [dnsext] Trust Anchors
  - From: Paul Hoffman <paul.hoffman@vpnc.org>
- Re: [dnsext] Trust Anchors
  - From: "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>

Prev by Date: Re: [dnsext] Trust Anchors
Next by Date: Re: [dnsext] Trust Anchors
Previous by thread: Re: [dnsext] Trust Anchors
Next by thread: registrar transfers (was Re: [dnsext] Trust Anchors)
Index(es):
- Date
- Thread