[dnssec-key-tf] requirement for "empty TA"?

On 9 Jun 2008, at 10:59, Peter Koch wrote:

> Mornin',
>
>> I don't think the IANA would have a reliable way to distinguish  
>> between:
>>
>> a) they are not sending us the key anymore even though it is out  
>> there
>> b) there is no key anymore
>
> there's a difference between the TLD registry not submitting a key,  
> so there's
> no statement in the TAR and the TLD registry explicitly saying the  
> TLD is
> unsigned, so there must not be a key.

but there is no generic way for IANA to determine that, unless the TLD  
chooses to signal it explicitly.
In the meantime, if the IANA TAR is your choice of how to track TAs,  
the absence of a key would mean, according to your policy choice, that  
you would only trust those keys.

>
>
>> Of the day comes when the root is signed, if TLDs stop sending their
>> key to IANA (The root) then the zone will drop off DNSSEC. Let's  
>> treat
>> the TAR the same.
>
> Assuming the root will be signed with NSEC instead of NSEC3/opt-out,  
> an
> insecure delegation explicitly says there's no TA (which may or may  
> not
> be true). This is a different issue from the TLD registry failing to
> update the DS(KSK), making the delegation go DNSSEC-lame.

Yes. is the argument here that the root should use NSEC3?
In any case, the TAR is not the root zone. Let's not get stuck again,  
please

Joao