IETF Logo Mail Archive

Re: [DNSOP] Signing the root == end of ITAR?

Mark Andrews <marka@isc.org> Wed, 07 October 2009 21:14 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 833B53A68AC for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 14:14:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.472
X-Spam-Level:
X-Spam-Status: No, score=-2.472 tagged_above=-999 required=5 tests=[AWL=0.127, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oAYZ1dJO1BSV for <dnsop@core3.amsl.com>; Wed, 7 Oct 2009 14:14:28 -0700 (PDT)
Received: from farside.isc.org (farside.isc.org [IPv6:2001:4f8:3:bb::5]) by core3.amsl.com (Postfix) with ESMTP id 6B9963A67A8 for <dnsop@ietf.org>; Wed, 7 Oct 2009 14:14:28 -0700 (PDT)
Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "drugs.dv.isc.org", Issuer "ISC CA" (not verified)) by farside.isc.org (Postfix) with ESMTP id 1CEE2E609F; Wed, 7 Oct 2009 21:16:05 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.3/8.14.3) with ESMTP id n97LFuME047745; Thu, 8 Oct 2009 08:16:03 +1100 (EST) (envelope-from marka@drugs.dv.isc.org)
Message-Id: <200910072116.n97LFuME047745@drugs.dv.isc.org>
To: cet1@cam.ac.uk
From: Mark Andrews <marka@isc.org>
References: <B668D106-141E-48EB-8C2D-C4AC7C2EB4DD@dnss.ec> <15F42D3E-3581-47C1-BCD2-071E5A9BCCF5@rfc1035.com> <A727D8A2-73A0-42A4-93F0-DAF8729680FE@bondis.org> <Prayer.1.3.2.0910071559590.29881@hermes-1.csi.cam.ac.uk>
In-reply-to: Your message of "07 Oct 2009 15:59:59 BST." <Prayer.1.3.2.0910071559590.29881@hermes-1.csi.cam.ac.uk>
Date: Thu, 08 Oct 2009 08:15:56 +1100
Sender: marka@isc.org
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Signing the root == end of ITAR?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Oct 2009 21:14:29 -0000

In message <Prayer.1.3.2.0910071559590.29881@hermes-1.csi.cam.ac.uk>, Chris Thom
pson writes:
> We have had at least one person from ISC in the past saying they won't be
> in any hurry to get rid of dlv.isc.org just because the root is signed.
> [I'll try and find the reference(s) if anyone doubts that.] No doubt
> they will stop importing the IANA ITAR into it at some stage, though.

I'll leave that for the DLV program manager.

One should note that until a validator is upgraded to support SHA2
signatures that it will still need the DLV entries for the TLDs as
the root will remain unsigned as far as that validator is concerned.

> There's an interesting technical question about DLV in this context, by
> the way. Would a DLV rrset at the apex (e.g. for dlv.isc.org) work as
> a substitute for an explicit root zone trust anchor?

Yes.  Why would anyone think otherwise?
 
Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.30.2 | Report a Bug | By Email | System Status