nanog mailing list archives

Re: .gov DNSSEC operational message

From: Jay Ashworth <jra () baylink com>
Date: Tue, 28 Dec 2010 22:34:20 -0500 (EST)

---- Original Message -----

From: "Kevin Oberman" <oberman () es net>

There is no reason that you could not do OOB transfers of keys, but it
would be so cumbersome with the need to maintain keys for every TLD
(and, for that matter, every zone under them) and deal with key rolls
at random intervals and confirm that the new keys you were getting were,
in fact legitimate would be more than overwhelming. It just does not
scale.


I apologize; I was not clear.

I was not suggesting OOB *production transfer of keying information*.

I was rather suggesting that an additional publication of the keys, in
an authenticatable manner, which could be used by anyone who believed
that Something Hincky might be going on to confirm or deny, might be
useful.

Cheers,
-- jra

Current thread:

Re: .gov DNSSEC operational message, (continued)
- - - Re: .gov DNSSEC operational message Tony Finch (Dec 29)
    - Re: .gov DNSSEC operational message Valdis . Kletnieks (Dec 29)
    - Re: .gov DNSSEC operational message bmanning (Dec 29)
    - Re: .gov DNSSEC operational message Tony Finch (Dec 30)
    - Re: .gov DNSSEC operational message Jay Ashworth (Dec 30)
    - Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
  - Re: .gov DNSSEC operational message Florian Weimer (Dec 26)
    - Re: .gov DNSSEC operational message jamie rishaw (Dec 27)
    - Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
    - Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
    - Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
    - Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
    - Re: .gov DNSSEC operational message bmanning (Dec 28)