21 Oct
2008
21 Oct
'08
5:34 p.m.
On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote:
IMO, there's no "lawyer stuff" here. At least as far as signing the root is concerned. All that's happening is some TLD presents its KSK, IANA verifies that key and then causes a signature over that key to be generated. Which pretty much means that IANA is saying "we assert that this was the TLD KSK that we checked": nothing more.
IMHO it is important to emphasize that the semantics are in the DS RR, not in the RRSIG(DS). The latter only authenticates the (technically authoritative) DS RR in the parent zone. At least in theory, one could start to publish DS RRs without signing them. -Peter