[Opendnssec-develop] Zone moving between operators

Roy Arends roy at nominet.org.uk
Thu Mar 26 08:41:56 UTC 2009

"Antoin Verschuren" <Antoin.Verschuren at sidn.nl> wrote on 03/26/2009 
02:07:28 AM:

> Hmm, that means an extra thing to think about as a registry to 
> implement DNSSEC: Upgrade your systems to be able handle 10M 
> transactions you normally do in a year to appear in 1 second. I 
> think our management will say no to DNSSEC.

For what its worth, it would be really hard to stop anyone from using a 
single key for all their zones. public keys can be re-used, just change 
the ownername, right? This is independent of OpenDNSSEC. One could have 
100 keys on their HSM. All copies of the same key. Do you require us to 
check them all? What about bind's dnssec tools? How can this policy be 
technically enforced? Are you planning, as a registry, to cross check a 
millions of DS records?
> It is my business as a parent if I need to verify the trust anchor 
> I'm providing to my children.

That is besides the point, right? You authenticate the 
registrar/registrant. You check if their DS matches their key. The buck 
stops there I guess. Are you going to check the trust anchor against all 
existing trust anchors ? What if one matches? Are you then telling the 
registrar/registrant that they just can't do that?

> You can have as many keys in your zone as you want, but if you want 
> me to update your DS in my zone, you better not send them to me all at 

And _that_ is the way to do it. Drop these policy bits in an SLA, but 
don't cripple the software.
> I used to work for a number of ISP's too.

I just worked for one in the past. does that count?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090326/3e2bc2dd/attachment.htm>

More information about the Opendnssec-develop mailing list