[Opendnssec-develop] Zone moving between operators
Roy Arends
roy at nominet.org.uk
Thu Mar 26 08:41:56 UTC 2009
"Antoin Verschuren" <Antoin.Verschuren at sidn.nl> wrote on 03/26/2009
02:07:28 AM:
> Hmm, that means an extra thing to think about as a registry to
> implement DNSSEC: Upgrade your systems to be able handle 10M
> transactions you normally do in a year to appear in 1 second. I
> think our management will say no to DNSSEC.
For what its worth, it would be really hard to stop anyone from using a
single key for all their zones. public keys can be re-used, just change
the ownername, right? This is independent of OpenDNSSEC. One could have
100 keys on their HSM. All copies of the same key. Do you require us to
check them all? What about bind's dnssec tools? How can this policy be
technically enforced? Are you planning, as a registry, to cross check a
millions of DS records?
> It is my business as a parent if I need to verify the trust anchor
> I'm providing to my children.
That is besides the point, right? You authenticate the
registrar/registrant. You check if their DS matches their key. The buck
stops there I guess. Are you going to check the trust anchor against all
existing trust anchors ? What if one matches? Are you then telling the
registrar/registrant that they just can't do that?
> You can have as many keys in your zone as you want, but if you want
> me to update your DS in my zone, you better not send them to me all at
once.
And _that_ is the way to do it. Drop these policy bits in an SLA, but
don't cripple the software.
> I used to work for a number of ISP's too.
I just worked for one in the past. does that count?
;-)
Roy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090326/3e2bc2dd/attachment.htm>
More information about the Opendnssec-develop
mailing list