[dnssec-key-tf] let's get things started
Joao Damas
Sat Sep 1 01:08:46 CEST 2007
On 29 Aug 2007, at 11:00, Peter Koch wrote: > > 1) Do we agree that "TLD only" best matches the outcome of the > discussion > in Tallinn? > That's the feeling I got. > 2) Is there anything "TLD like" we should consider? > Assuming we are including arpa as a rightful TLD, I think that covers it. Going into second level Domains, third, etc requires something dynamic, which name servers should be able to update by itself (or with the aid of cron-like jobs, but that is even more error prone) and then you end up at some DLV-like scheme. > For the publication part, my understanding is that, although the > term "DLV" > was mentioned, the presenter's primary goal was to have an accessible > Trust Anchor Repository. Correct. Something simple and trusted was my understanding and my desire for this. A simple DNS zone that can be pulled would do the trick (with additional local processing). Failing that, a well formatted text file available through any of http, ftp, rsync, rss syndication on a well known URI could cover this, I believe. The important part of this exercise is to get some trust on the data that is put into the repository, so I would prefer there to be explicit agreement between the repository maintainers and the TLDs whose keys are stored, so there is a chance for advance warning of changes in publication methods, emergency rollover processes, etc. In order to achieve this in a reasonable amount of time one would probably need to craft very simple agreements that wouldn't require lots of review by legal teams, so for instance, no party should try to impose liablility on the other. That also means there must be simple and clear "terms of usage" for the repository, towards its users. Joao