IETF Logo Mail Archive

Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)

ted@tednet.nl (Ted Lindgreen) Fri, 06 April 2001 16:18 UTC

Received: from psg.com (exim@[147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with SMTP id MAA13587 for <dnsext-archive@lists.ietf.org>; Fri, 6 Apr 2001 12:18:43 -0400 (EDT)
Received: from lserv by psg.com with local (Exim 3.16 #1) id 14lYYe-0004Y1-00 for namedroppers-data@psg.com; Fri, 06 Apr 2001 08:53:56 -0700
Received: from [63.218.17.194] (helo=h236.s254.netsol.com) by psg.com with esmtp (Exim 3.16 #1) id 14lYYc-0004Xs-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 08:53:55 -0700
Received: (from markk@localhost) by h236.s254.netsol.com (8.11.0/8.11.0) id f36EvrF01739 for namedroppers@ops.ietf.org; Fri, 6 Apr 2001 10:57:53 -0400
Received: from open.nlnetlabs.nl ([213.53.69.1]) by psg.com with esmtp (Exim 3.16 #1) id 14lVrX-000Nhg-00 for namedroppers@ops.ietf.org; Fri, 06 Apr 2001 06:01:16 -0700
Received: (from ted@localhost) by open.nlnetlabs.nl (8.11.2/8.11.1) id f36D14s95349; Fri, 6 Apr 2001 15:01:04 +0200 (CEST) (envelope-from ted)
Message-Id: <200104061301.f36D14s95349@open.nlnetlabs.nl>
From: ted@tednet.nl
Date: Fri, 06 Apr 2001 15:01:04 +0200
In-Reply-To: "John Gilmore's message as of Apr 6, 14:12"
Reply-To: Ted.Lindgreen@tednet.nl
X-Organization: TedNet BV
X-Address: Omval 56, 1096HV Amsterdam, The Netherlands
X-Phone: +31 20 6631060 Fax: +31 20 4684462
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: John Gilmore <gnu@toad.com>, Miek Gieben <miekg@open.nlnetlabs.nl>
Subject: Re: Signature at parent (draft-ietf-dnsop-parent-sig-00.txt)
Cc: Dan Massey <masseyd@isi.edu>, namedroppers@ops.ietf.org
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk

[Quoting John Gilmore, on Apr  6, 14:12, in "Re: Signature at par ..."]

> There's nothing wrong with putting an IPSEC KEY record at the top
> of a zone, along with the zone keys.

The problems with it are:

1. Inflexibility:
    Any change, update, addition, or removal of such a KEY
    needs the involvement of the parent.
2. Cost:
    It will be pretty likely, that TLDs will charge for signing KEYs,
    and probably more when lots of non-zone-KEYs are involved.
3. Liability:
    He, who signs, must make sure that he knows he is signing, and
    must accept some responsibility for it (otherwise the signature
    is worthless). I think a TLD should accept the responsibility for
    a proper delegation of a domain, but I don't think the TLD will
    accept the responsibility for local stuff like IPSEC-KEYS under
    those already delegated domains.

I think that smart zone-administrators keep their local KEYs out of
the apex' KEYset.

But some education may help to get them smart.

So, the question is: in a to be written "Best Current Practice
document" should we be silent about this, or just make a note or
remark, or discourage it, or make it a SHOULD NOT, or perhaps even
a MUST NOT?

I agree with Brian Wellington, that a "SHOULD NOT" will do fine.

Regards,
-- Ted.



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.

v2.23.0 | Report a Bug | By Email