US government mandates? use of DNSSEC by federal agencies
David Conrad
drc at virtualized.org
Wed Aug 27 23:30:14 UTC 2008
Just speaking of the IANA ITAR...
On Aug 27, 2008, at 10:35 AM, Kevin Oberman wrote:
> How do you propose to establish the initial trust for these keys?
Current plan:
- The IANA ITAR will be reachable via HTTPS, so you could trust the CA
IANA uses for that website (don't know who that is offhand).
- The IANA ITAR will be PGP signed, so you could trust the IANA PGP
key you obtained via some out of band mechanism.
The data used in the IANA ITAR will be vetted the same way IANA vets
NS changes.
> How will they be updated?
Not sure I understand this question. If you mean how frequently will
the trust anchors within the IANA ITAR be updated, that's up to the
TLD admins. If you mean how will the set of trust anchors be updated,
I would imagine folks would have a cron job to pull down the trust
anchors periodically or something. The data is relatively static and
could be Akamaized (or equivalent) or something if load becomes a
problem (not something I'd personally be expecting in the foreseeable
future).
> This is the reason for the DLV concept and it will be needed (in some
> form) at least until the root is signed and most likely until .com and
> .net are signed.
The downside of DLV is that it puts the DLV registry into the name
resolution path, with all that implies in terms of data privacy as
well as reliability.
Regards,
-drc
More information about the NANOG
mailing list