On Nov 3, 2008, at 16:22, bmanning@vacation.karoshi.com wrote:
thats hardly true - unless the presumptive argument is that the generator also signs.
Well Bill, that seems to be a valid assumption as far as this WG goes. Other options are theoretically possible, but from a pragmatic PoV they don't make sense IMO. Having one entity create an unsigned file to give to someone else to sign (and distribute?) just adds more complexity and more opportunities for things to go wrong. One could also argue that "generating" the zone includes the insertion of RRSIGs, DS records, NSEC3 and so on.
going w/ your earlier thread, the pragmatic approach (get the zoen signed this decade) is exactly down that line of argument.
Indeed. Let's get the root signed! Soon!
I, however, am taking a slightly divergent POV. I think it si required to create a third party to generate/hold/use the keys (some blend of options #3 and #6 in the graphics)
a strictly technical solution would be to eliminate two of the three parties currently involved. there is no technical reason things are structured they way they are today.
By all means Bill express that as your view when you respond to the NTIA consultation. However please don't open up that can of worms here. There are diverging (perhaps mutually exclusive) views in this WG about which of the NTIA proposals are better/ideal/preferred. I doubt a consensus can emerge around one of them from the WG and we've pretty much decided not to try and look for that because it's likely to be impossible in the time available, if ever. Instead, there's a consensus to state the general high-level principles that we would like to see in a signed DNS root. This was the general direction which prevailed in Dubai last week.
there are sound political reasons to create a new structure, one that does not assemble the data or publish the data but simply attests to the data.
Well so far Bill, I hear no-one else supporting that view. I would advise the WG against exploring this approach right now. Firstly, the clock is ticking. If we can't get consensus on an NTIA response by the end of this week, it's over. If the WG can't make up its mind by then, we can't ask for RIPE community endorsement in time to get something sent to NTIA by the deadline. Which is just 3 weeks away. The second reason is that raising the prospect of creating a new structure will open up all sorts of layer-9 and above rat-holes that will take forever to resolve. This will give the politicians and lawyers an opportunity to pile in and start arguments that will go on until the start of the next Ice Age. IMO that would be bad.
anyway, point 10 woudl be clearer if the reason fo rthe must was made explicit.
Noted. Can we agree to leave the matter there? I'll add some explanatory text for the next version.