wrt joao damas' DLV talk on wednesday
David Conrad
drc at virtualized.org
Mon Jun 12 18:33:28 UTC 2006
Randy,
On Jun 12, 2006, at 10:08 AM, Randy Bush wrote:
> actually, i suspect that the issues of dlv are exactly those of
> iana root signing, key management and tld signature policy.
Nope. Oh sure, from a technical perspective, the problems are pretty
much the same, but I think they are solvable (if not in a way that
will please everyone). However, one of the major layer-9 or above
issues having to do with signing the root is "who is going to sign
the root", which translates to "who owns the root". The answer, from
a political perspective, isn't as obvious as one might wish.
When you push down a layer in the DNS hierarchy, then the layer-9 or
above issue becomes _much_ clearer and easier to solve. ccTLD admins
and folks like PIR, Verisign, Neustar, etc., have clear and
unambiguous authority over their zones (not getting into the argument
of whether they should have clear and unambiguous authority) and
thus, there is no question who should sign those zones (how is a mere
implementation detail).
The problem is, if you push down a layer, you have to figure out how
to get the appropriate keying information into the caching server's
"trusted-key" (or moral equivalent) statement. I personally think
some sort of automated non-DNS out-of-band mechanism would be better
than recreating the "who gets to sign X" problem, but there are lots
of annoying details to deal with.
> and
> hence dlv is hoisted on the same petard it attempts to avoid, and
> then devolves to a simple power play of isc vs iana with neither
> having a good answer to the real technical and security issues.
Can you have a power play when at least one party doesn't play?
IANA's role is really easy: people tell us what to do, we try to do
it. When somebody tells IANA how to deal with root signing, key
management, and tld signature policy, we do what is necessary to
implement what is asked of us. Until then, I'm a bemused bystander...
Rgds,
-drc
More information about the NANOG
mailing list