US government mandates? use of DNSSEC by federal agencies

David Conrad drc at virtualized.org
Wed Aug 27 23:30:14 UTC 2008


Just speaking of the IANA ITAR...

On Aug 27, 2008, at 10:35 AM, Kevin Oberman wrote:
> How do you propose to establish the initial trust for these keys?

Current plan:

- The IANA ITAR will be reachable via HTTPS, so you could trust the CA  
IANA uses for that website (don't know who that is offhand).
- The IANA ITAR will be PGP signed, so you could trust the IANA PGP  
key you obtained via some out of band mechanism.

The data used in the IANA ITAR will be vetted the same way IANA vets  
NS changes.

> How will they be updated?

Not sure I understand this question.  If you mean how frequently will  
the trust anchors within the IANA ITAR be updated, that's up to the  
TLD admins.  If you mean how will the set of trust anchors be updated,  
I would imagine folks would have a cron job to pull down the trust  
anchors periodically or something.  The data is relatively static and  
could be Akamaized (or equivalent) or something if load becomes a  
problem (not something I'd personally be expecting in the foreseeable  
future).

> This is the reason for the DLV concept and it will be needed (in some
> form) at least until the root is signed and most likely until .com and
> .net are signed.

The downside of DLV is that it puts the DLV registry into the name  
resolution path, with all that implies in terms of data privacy as  
well as reliability.

Regards,
-drc





More information about the NANOG mailing list