[governance] DNSSEC, was USG on ICANN - no movement here
John Levine
icggov at johnlevine.com
Mon Aug 11 16:46:08 EDT 2008
>doesn't DNSSEC, once fully in place, lock us into the ICANN approved
>root with no chance for variation? would DNSEC knock the ORSN model
>out?
Not really. DNSSEC provides a chain of signatures corresponding to
the chain of NS delegations for each zone. You need a manually
configured "trust anchor" to start validating the chain, ideally for
the root. Non-IANA roots currently mirror most or all of the NS
records in the IANA root, which they obtain either by zone transfer or
by FTP from Verisign's public FTP server. They can continue to do the
same thing, but add their own signatures of the signed zones they
mirror.
The trust anchor for a non-IANA root would be differerent from the one
for the IANA root. But just as you configure different root server IP
addresses to pick your favorite root, you'll configure the
corresponding trust anchor.
The recent comments about the relative stability of the IANA vs.
non-IANA roots applies doubly when DNSSEC is involved. Each zone is
likely to change its key once or twice a year, which means that the
parent zone has to notice and adjust its signature to match the new
key. (Barring emergencies, there would be a couple of months' overlap
between the old and new keys, so this isn't a real time issue, its a
process issue.) If the parent signature gets stale, the child zone
effectively disappears. Oops. Credible roots better not do that.
R's,
John
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.cpsr.org
To be removed from the list, send any message to:
governance-unsubscribe at lists.cpsr.org
For all list information and functions, see:
http://lists.cpsr.org/lists/info/governance
More information about the Governance
mailing list