On 20 Apr 2011, at 09:56, Brett Carr wrote:
Anand talked first about AP 57.1: The RIPE NCC supports signing of the root and had planned to upload its trust anchors into the ISC DLV.
Shouldn't this say "had planned not to upload it's trust anchors"?
I don't think so Brett. Here's an extract from the RIPE57 minutes: There was a question about how to get the trust anchors for the RIPE NCC domains. Anand explained that they could be found on the secure website <https://www.ripe.net/projects/disi//keys/index.html>. Anand was asked to look into DLV, which would make keeping track of key rollovers easier. ACTION: NCC (Anand) to consider DLV for the Trust Anchors maintained by the NCC You might recall a lot of WG activity around RIPE57 was spent on a response to the NTIA proposals for signing the root. And it was unclear how or when .arpa and its subdomains would get signed if/when the root got signed. So at that time, the ISC DLV was pretty much the only option that was open to the NCC for its signed reverse tree. Sigh. IANA's ITAR only handled TLD keys. IIUC the NCC never lodged their KSKs with ISC's DLV thing. Though they somehow ended up there and this created some issues later. PS it should have been "upload its trust anchors". It's a pet peeve of mine when people type "it's" (it is) when they mean "its" (possessive of it). I know. I need to get out more.