On Mon, Oct 20, 2008 at 05:26:12PM +0100, Jim Reid wrote:
I appreciate that some people will feel that legal agreements are an unavoidable consequence of signing. However that's a matter between the each TLD (and its government?) and those co-ordinating the root. There are no technical grounds for parent and child zones to have a legal agreement underpinning their use of DNSSEC. So if a TLD wants to have a signed delegation, they can do that with or without an agreement or anything that could be viewed as an acceptance of the way the root is managed today. If a TLD doesn't want to have a signed delegation, then they don't have to. Nobody's being compelled to do anything they don't want.
well... as Lutz has demostrated, its often difficult to have a signed delegation and also be able to restrict whom picks up your DNSKEY and plops it into their version of the parent delegation.
All that's happening is some TLD presents its KSK, IANA verifies that key and then causes a signature over that key to be generated. Which pretty much means that IANA is saying "we assert that this was the TLD KSK that we checked": nothing more.
perhaps, if one buys into the argument that there is only a single parent. the .RU folks may want their signed data to only follow the JIMREID-root-o-ultimate-correctness and not appear at all in those fly-by-night outfits (PACROOT, ORSN, ICANN & RS.NET) ... harvesting DNSKEYS seems to be a very lightweight means of "asserting that this was the TLD-KSK that we checked".
Likewise, they may well need to consult widely inside Russia before submitting a KSK for .ru to the signed root, if that was in place.
DNSKEY harvesting is a means to avoid having a formal means to submit your data to your parent ... any/everyone can pick it up and claim your ancestry. --bill