This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] NTIA and RIPE
- Previous message (by thread): [dns-wg] NTIA and RIPE
- Next message (by thread): [dns-wg] NTIA and RIPE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Richard Lamb
richard.lamb at icann.org
Wed Oct 29 23:15:17 CET 2008
... On 2008Oct29, at 7:30 PM, Edward Lewis wrote: >Regardless of my personally agreeing with such a statement or not, here are my >reactions to some of the bullets. > >At 15:01 +0400 10/29/08, Patrik Fältström wrote: > > > B - The addition of DNSSEC to the root zone must be recognised as a > global initiative. > >I'm unclear on the intent of the B statement. See my comment on E. > > E - Any procedural changes introduced by DNSSEC should be aligned with the > process for coordinating changes to and the distribution of the root zone. > >In some interpretations of B & E, these two could be conflicting. I.e., B implies >that the current state of root zone management is too centered in the US, E evokes >a message encouraging the status quo. > >Mind you - I am not commenting on B or E, but my reading of the two leaves come >confusion in my mind. Perhaps I am misunderstanding B and/or >E as it is presented >here. I take B to mean we want the global Internet community to use and trust it. ..and yes control and operation that is less US centric. Thank you for "translating" E. It does evoke the current state of affairs which unfortunately do not best serve DNSSEC (even envisioned in [1]) and contradictory with B. I dont believe anyone is suggesting changing the current distribution mechnism for the root zone...only changing the creation of that zone to secure it and its new contents effectively. The how and who should be up to the community the root serves. IMHO E needs to be removed. It refers to a "process" that is by no means favored by the whole community nor frozen in stone. Why build it into DNSSEC? I have yet to understand the drivers behind E as there are any number of ways to achieve the same "balance" while simlifying and securing the process. Given the will, making such changes does not take a long time. In a previous life in government I have seen greater issues settled, contracts written, and even $$ doled out in less than a month. All depended on what level pressure is applied. Its your root. Design it and make sure it is what you want. ... > K - Changes to the entities and roles in the signing process must not > require a change of keys. > >I technically disagree with that, if there is a change in the entity performing the >zone signing, the private key material should not have to be transferred out in the >transition. The private key material of concern here is the ZSK, not the KSK. Agreed. >-- >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->=- >Edward Lewis +1-571-434->5468 >NeuStar > >Never confuse activity with progress. Activity pays more. Very much agree ;-) Not speaking for my employer on any of this lest I be looking for another career. -Rick [1] http://www.icann.org/en/tlds/agreements/verisign/root-server-management-transition-agreement-oct05.pdf signed version elsewhere
- Previous message (by thread): [dns-wg] NTIA and RIPE
- Next message (by thread): [dns-wg] NTIA and RIPE
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]