[dnssec-key-tf] initial TLD sign up
Peter Koch
Thu Sep 13 11:59:10 CEST 2007
On Thu, Sep 13, 2007 at 04:31:10AM -0400, Sam Weiler wrote: > That's the interesting bit. Happily "making sure we get the right key > in the first place" is likely to be pretty easy: the TLDs are > publishing keys on their webpages signed with some other cyptosystem [...] not contesting your strawman, the point I tried to make (and already made to Jim in an earlier note) is the initial sign up of a TLD: How does the TAR know they're talking to the right TLD representative. If there's no key, that's probably easy, but as of today five of 267 TLDs do publish one or more DNSKEY RRs (not counting *.ARPA, since I like to follow Daniel's advice). The TAR should be operated in "passive mode", i.e. waiting to be approached by a TLD registry (announcements and encouragement nonwithstanding) and the TAR operator has to find the right link. Once that's established, the list you (Sam) provided should work. -Peter