|
|
 |
[staff] [local-ir@localhost]signing the roots
- Date: Tue, 22 Apr 2003 16:01:05 +0200
- Resent-date: Thu, 1 May 2003 13:12:43 +0200
- Resent-message-id: <200305011112.h41BChDV028284@localhost
- Resent-to: "dns-wg. sub-regular":
Dear colleagues,
At the DNS-WG at the last RIPE meeting (RIPE 44) Johan Ihren presented
his proposal for an interim scheme for signing the public DNS root. The
current version of this Internet-Draft is:
draft-ietf-dnsop-interim-signed-root-01.txt
The full text of this Internet-Draft can be found at:
http://www.ietf.org/internet-drafts/draft-ietf-dnsop-interim-signed-root-01.txt
In the Internet-Draft, a mechanism has been proposed for a first stage
of a transition from a unsigned DNS root to a signed root, such that the
data in the root zone is accompanied by DNSSEC signatures to allow
validation. The process of doing this involves the use of a set of
operator keys which are signed by one key signing key, sometimes
referred to a "master key". It has been further proposed that these key
signing keys be managed by the Regional Internet Registries (RIRs).
The proposal states the requirements of the RIRs would be to:
* establish a secure out-of-band communication path in collaboration
with the signing operators which will be used for authenticated exchange
of the unsigned keyset.
* periodically generate strong keys using a good random number
generator
* manage their keys (i.e. use them for signing the operator keyset
and keeping the private key appropriately secret)
Question:
Since this Internet-Draft suggests future action by the RIRs, the RIPE
community should discuss this issue and provide feedback to the author.
Therefore, the following question is asked:
Is this a task that should be performed by the RIPE NCC?
Please direct your feedback to dns-wg@localhost mailing list.
Regards,
Andrei Robachevsky
CTO, RIPE NCC
|
|
|
|
