North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: US government mandates? use of DNSSEC by federal agencies
Just speaking of the IANA ITAR...
On Aug 27, 2008, at 10:35 AM, Kevin Oberman wrote:
How do you propose to establish the initial trust for these keys?
- The IANA ITAR will be reachable via HTTPS, so you could trust the CA IANA uses for that website (don't know who that is offhand).
- The IANA ITAR will be PGP signed, so you could trust the IANA PGP key you obtained via some out of band mechanism.
The data used in the IANA ITAR will be vetted the same way IANA vets NS changes.
How will they be updated?
Not sure I understand this question. If you mean how frequently will the trust anchors within the IANA ITAR be updated, that's up to the TLD admins. If you mean how will the set of trust anchors be updated, I would imagine folks would have a cron job to pull down the trust anchors periodically or something. The data is relatively static and could be Akamaized (or equivalent) or something if load becomes a problem (not something I'd personally be expecting in the foreseeable future).
This is the reason for the DLV concept and it will be needed (in some form) at least until the root is signed and most likely until .com and .net are signed.
The downside of DLV is that it puts the DLV registry into the name resolution path, with all that implies in terms of data privacy as well as reliability.