[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
US government mandates? use of DNSSEC by federal agencies
- Subject: US government mandates? use of DNSSEC by federal agencies
- From: drc at virtualized.org (David Conrad)
- Date: Wed, 27 Aug 2008 16:30:14 -0700
- In-reply-to: <[email protected]>
- References: <[email protected]>
Just speaking of the IANA ITAR...
On Aug 27, 2008, at 10:35 AM, Kevin Oberman wrote:
> How do you propose to establish the initial trust for these keys?
Current plan:
- The IANA ITAR will be reachable via HTTPS, so you could trust the CA
IANA uses for that website (don't know who that is offhand).
- The IANA ITAR will be PGP signed, so you could trust the IANA PGP
key you obtained via some out of band mechanism.
The data used in the IANA ITAR will be vetted the same way IANA vets
NS changes.
> How will they be updated?
Not sure I understand this question. If you mean how frequently will
the trust anchors within the IANA ITAR be updated, that's up to the
TLD admins. If you mean how will the set of trust anchors be updated,
I would imagine folks would have a cron job to pull down the trust
anchors periodically or something. The data is relatively static and
could be Akamaized (or equivalent) or something if load becomes a
problem (not something I'd personally be expecting in the foreseeable
future).
> This is the reason for the DLV concept and it will be needed (in some
> form) at least until the root is signed and most likely until .com and
> .net are signed.
The downside of DLV is that it puts the DLV registry into the name
resolution path, with all that implies in terms of data privacy as
well as reliability.
Regards,
-drc