[dnssec-key-tf] requirement for "empty TA"?

Previous message: [dnssec-key-tf] requirement for "empty TA"?

Next message: [dnssec-key-tf] requirement for "empty TA"?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joao Damas
Mon Jun 9 10:27:38 CEST 2008

I don't think the IANA would have a reliable way to distinguish between:

a) they are not sending us the key anymore even though it is out there
b) there is no key anymore

so I think putting a requirement like this is not realistic.

Of the day comes when the root is signed, if TLDs stop sending their  
key to IANA (The root) then the zone will drop off DNSSEC. Let's treat  
the TAR the same.

Joao

On 8 Jun 2008, at 23:24, Peter Koch wrote:

> Folks,
>
> our job is basically done and the letter to IANA eventually on its  
> way,
> but since we're all here, here's an idea for an additional  
> requirement:
>
> Inspired by the RSTEP report on PIR's ORG signing proposal, should
> the TAR differentiate between "no TA present" and "no TA exists"?
> The TAR, even the IANA one, will likely not claim to be exhaustive
> since it is opt-in only. However, when a TA is removed from the TAR,
> the consuming validator has no idea what to to with that particular
> TLD. It could continue to use the old TA, assuming that the  
> distribution
> channel was just abandoned or it could remove the TA from its  
> configuration.
> So, without assessing the PIR exit strategy, would it be a resonable
> additional requirement for the TAR to allow for a NUL TA that means
> "no TA here" or "TA deliberately revoked"?
>
> -Peter

Previous message: [dnssec-key-tf] requirement for "empty TA"?

Next message: [dnssec-key-tf] requirement for "empty TA"?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ Dnssec-key-tf Archive ]