[dnssec-key-tf] clarification of TAR requirements
Jim Reid
Wed Apr 16 12:45:24 CEST 2008
On 16 Apr 2008, at 10:31, Peter Koch wrote: > now, if IANA is doing the job, is this still a requirement from our > side > (assuming this was to protect the NCC from any liability back then)? I think it would be prudent for IANA/ICANN to have this type of protection and it wouldn't hurt for our TF to suggest that to them. Assuming they've not already considered this. > So, setting layer 9+ aside for a second, this would mean there are no > requirements for the crypto algorithms and key lengths used, nor any > requirement to actually have a ZSK/KSK split or have a live KSK with > the > SEP flag set? Yup. These requirements should be documented (and enforced?) somehow. But not by the TAR. Someone else can be the DNSSEC police. I think it's OK for the TAR to say "the key we have for this TLD doesn't appear to be a live KSK", but no more than that. It's probably not OK IMO for the TAR to refuse a valid key because it's not yet a live KSK. For some definition of valid. >>> here would be some statement saying that "signing the root" is >>> still a >>> goal (if it is) and that's why the requirements about exit >>> strategies >>> should be kept. >> >> Let's avoid this rat-hole Peter. I think we're now working on the >> assumption that the IANA repository is going ahead. So this TF could >> support that effort with some ideas about that TAR's requirements. If >> we can get consensus on that, we can ask the WG to endorse that >> outcome, send it to ICANN and as Daniel says, declare victory and >> close the TF. > > I'm not sure where you see me rat-holing here. Re-opening the discussions about signing the root. Or a debate on if an NCC effort to set up a TAR undermines or supports the IANA TAR. Since you're not doing that, let's move on.... I think Daniel's captured all the salient points, so can we please focus on the text he's drafted? > [8] The TAR is open to receive TAs for any delegated TLD. > [?] The TAR maintainers may assist TA/KSK maintainers on a best effort > basis only. Inetersted parties are encouraged to consult (RFC > 4641, ...) > for technical and operational guidance. Yes!