[Opendnssec-develop] Zone moving between operators

Antoin Verschuren Antoin.Verschuren at sidn.nl
Thu Mar 26 01:07:28 UTC 2009


Hmm, that means an extra thing to think about as a registry to implement DNSSEC: Upgrade your systems to be able handle 10M transactions you normally do in a year to appear in 1 second. I think our management will say no to DNSSEC.

It is my business as a parent if I need to verify the trust anchor I'm providing to my children.
You can have as many keys in your zone as you want, but if you want me to update your DS in my zone, you better not send them to me all at once.

I used to work for a number of ISP's too.

Antoin Verschuren

Technical Policy Advisor
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands

T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E antoin.verschuren at sidn.nl
W http://www.sidn.nl/


> -----Original Message-----
> From: Ray.Bellis at nominet.org.uk [mailto:Ray.Bellis at nominet.org.uk]
> Sent: Thursday, March 26, 2009 1:15 AM
> To: Antoin Verschuren
> Cc: Matthijs Mekking; Opendnssec-develop at lists.opendnssec.org; opendnssec-
> develop-bounces at lists.opendnssec.org; Rick van Rein; roy at nominet.org.uk
> Subject: RE: [Opendnssec-develop] Zone moving between operators
> 
> > I would say one key for multiple zones is unwise.
> > And as a registry, I would probably forbid it in the policy.
> 
> As someone who used to run DNS services at an ISP I'd disagree, and say
> that it's none of the parent zone's business how many (or few) keys I use
> across my customers' zones.
> 
> cheers,
> 
> Ray
> 
> --
> Ray Bellis, MA(Oxon) MIET
> Senior Researcher in Advanced Projects, Nominet
> e: ray at nominet.org.uk, t: +44 1865 332211



More information about the Opendnssec-develop mailing list