On Tue, Jun 13, 2006 at 01:18:06AM -0700, Randy Bush wrote:
actually, i think it most important that a proposed dlv service make very clear its security policy and process in vetting the correctness of the data it serves, i.e. the trust anchors for dependent zones.
Oh, you're asking specifically for more detail than is on our web page, then ('Registering your zone key in the DLV tree'). You mentioned that this would have relevance to future practices should the root be signed, and I can't for the life of me see how. I think this is an artificial problem that arises only for ISC since we're out of the delegation loop (except where we can authenticate registries and receive trust anchors from them). Do you imagine that, if IANA/ICANN/USDOT/someone were told to implement a policy to sign the root, that they would have trouble identifying the owners of the TLD's reliably? If so, wouldn't this problem already exist today in the information already present in the root zone?
once one can have confidence in the correctness of the data served, one might then become inclined to worry about the reliability of the service :-).
-- David W. Hankins "If you don't do it right the first time, Software Engineer you'll just have to do it again." Internet Systems Consortium, Inc. -- Jack T. Hankins