[dnssec-key-tf] requirement for "empty TA"?

Previous message: [dnssec-key-tf] requirement for "empty TA"?

Next message: [dnssec-key-tf] requirement for "empty TA"?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Peter Koch
Mon Jun 9 10:59:56 CEST 2008

Mornin',

> I don't think the IANA would have a reliable way to distinguish between:
> 
> a) they are not sending us the key anymore even though it is out there
> b) there is no key anymore

there's a difference between the TLD registry not submitting a key, so there's
no statement in the TAR and the TLD registry explicitly saying the TLD is
unsigned, so there must not be a key.

> Of the day comes when the root is signed, if TLDs stop sending their  
> key to IANA (The root) then the zone will drop off DNSSEC. Let's treat  
> the TAR the same.

Assuming the root will be signed with NSEC instead of NSEC3/opt-out, an
insecure delegation explicitly says there's no TA (which may or may not
be true). This is a different issue from the TLD registry failing to
update the DS(KSK), making the delegation go DNSSEC-lame.

-Peter

Previous message: [dnssec-key-tf] requirement for "empty TA"?

Next message: [dnssec-key-tf] requirement for "empty TA"?

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ Dnssec-key-tf Archive ]