[dnssec-key-tf] Publication method (was: DLV and trust anchor repositories)
Marcos Sanz/Denic
Mon Sep 24 14:59:01 CEST 2007
> As I wrote yesterday: "I agree with Daniel: 'As many as are required > by the users.' Multiple formats are good and I have no strong > preferences re: dynamically queriable v. bulk only. (In particular, > I'm not going to insist on DLV as a publication format.)" I don't think that a "dynamically queriable" publication method is a hard requirement, only an optimization. https://ns.iana.org/dnssec/status.html looks nice, but: a) it is difficult to parse b) it is not signed by my favourite CA (hey, that will probably be stuff for lots of discussion) Coming back to other aspects discussed so far: * The more transports and syntaxes the repository offers, the better. They all must be synchronized among themselves, though. * I defend a repository for "TLD-like only" because of the different requirements that deeper levels of the tree would impose. And because that was the initial scope of our work, IIRC. * I certainly prefer IANA doing the publication than any other instance. We don't want to have a tree with two roots, one for content and one for authentication. The "flimsy authentication" argument and the TEL-example is not valid for me here: there shouldn't be more security expectations for changing a trust anchor than for changing a TLD delegation. * Dropping the experiment when the root is signed is good enough. It would be convenient and professional to set an absolute deadline for the experiment, though. This will address the worries of a possible loss of pressure on getting the root signed if the experiment were to become very successful. * TAR in passive mode: absolutely. Best regards, Marcos