On Tue, Jul 20, 2010 at 12:12 AM, Mark Andrews <marka@xxxxxxx> wrote: > > In message <AANLkTikni86AOABGKIB1_jOeQe0Ou4swpGrS8H1MbmrQ@xxxxxxxxxxxxxx>, Phil > lip Hallam-Baker writes: >> Being able to verify signatures is of no value. >> >> The system only has value when you can act differently according to >> whether the signature verifies or not. >> >> I keep asking, but nobody will tell me how I get the keys for my >> domains into the TLD. > > Firstly you get DS records into the TLD not DNSKEY records. Secondly > it is/will be by a mechanism similar to how you get NS records into > the TLD. In other words go ask your registrar when they are going > to support adding DS records and stop complaining here. I am not asking about the TLD keys, I am asking about my keys. And I really hope that the mechanism for handling the name holder keys recognizes that registering a million keys is different to distributing a hundred where all the parties know each other personally. You would not be saying "go ask your registrar when they are going to support adding DS records" if you didn't know that the answer was that the registrars have made no commitment to deploy. Holding a key signing ceremony is not a new technological achievement. It is being held now with great fanfare in the hope that if everyone makes enough noise about how much momentum DNSSEC has that the opposition of the registrars will somehow disappear. I don't see why that strategy would work. I have certainly never seen it work in the past. > This is not a technological problem. It is a business problem > between you, your registrar and the registry. You are an engineer. If the technology does not meet the business needs then you have failed. If DNSSEC is not going to fail we need to re-engineer it to propose a business model that actually works. Sitting on the sidelines and shouting 'the technology is perfect damit, go make the business model work', is not going to solve the problem. Nor is 'go away, my technology is perfect, perfect I tell you'. What has me very worried here are the comments to the effect 'the registrars are behind'. What if the registrars are not 'behind', what if they have no interest in deployment or are actively opposed but unable to say so openly while Cerf and co are saying that DNSSEC is the historic solution to solve the problem of Internet security? >> This is not a trivial issue. There is a question of liability to be >> addressed. So far ICANN and VeriSign Registry Services have addressed >> the issue by booting it down the chain. But the system as a whole >> cannot work until there is someone willing to accept the liability and >> for that to happen they are going to require tools to manage their >> litigation risk. > > How is the liability different from that of accepting NS records? > DS records don't magically change the liability. Stuffing up either > NS or DS records will break the delegation. Yes they do. An NS record specifies the address of the DNS server A DS record specifies an intermediate certificate in the chain of trust for authenticating any entity that is attached to the domain. In the case of an NS record it is established that the design does not provide security in the DNS layer and this has to be provided independently via an end to end mechanism such as SSL with DV or EV certs. In the case of a DS record the design is expressly designed to provide for authentication of assertions relating to a domain name distributed through the DNS. -- Website: http://hallambaker.com/ _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf