[dnssec-key-tf] Using the TAR for non-TLD KSKs
Johan Ihren
Wed Oct 24 17:54:22 CEST 2007
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24 Oct 2007, at 16:45, Peter Koch wrote: > On Wed, Oct 24, 2007 at 03:30:36PM +0100, Jim Reid wrote: > >> I agree. But surely a TAR that goes into keys other than TLDs will >> just create this problem in a slightly different guise? This could >> also have an unpleasant operational impact on the TAR: perhaps >> looking after many hundreds of (frequently changing?) KSKs rather >> than a much smaller number of (probably fairly stable) TLD KSKs. Ahh. And here I thought that the whole point of TAR was to avoid having every validator do the cumbersome fetching and verification of trusted keys and instead do this in one place to change from O(n*m) to O(n). But if this is too much effort for TAR then I think the world would be better served by some entity that could provide that service. On another note, at the heart of this lies a need to make DNSSEC operationally viable on the resolver side as the number of signed zones go up. The primary alternative to TAR is called DLV. DLV will happily take care of all keys wherever they are in the hierarchy. Therefore, if TAR doesn't provide a service that does the same then people will need to use DLV regardless. But if they need DLV regardless, what's the point of TAR? You all know that I'm strongly opposed to DLV, but even so: if TAR doesn't provide an alternative that can be compared to DLV on pros and cons directly then I really don't see a useful niche for TAR in this ecology. > it makes the TAR operationally more complex and it would also be in > conflict > with our proposed stop condition. With only TLDs it is > straightforward > to exit once the root is signed. With other domains in the TAR, this > strategy doesn't appear as straightforward to me anymore. That one I understand completely. However, what is more important: providing a relevant service that justifies this effort in the first place or having a sufficiently simple exit strategy? Johan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) iQCVAwUBRx9qsPotlDfa2H4ZAQJwcAQAmnmvLaPolcHUJgNsJYin/kn2uJNnS1zc u8G9HhMJzHOifgEd1LWAtaouC2OeY5ntRppWUFi2lAxcyLfc6oub3PrI1WsjBP/g Qdwl3sF0z3DrTTtkXCpg6BthMt8uZBAWUSSjE946VKdr7d3hrVpVy/6cDBtelAaj lJtyPDjynYo= =XHz9 -----END PGP SIGNATURE-----