[127845] in North American Network Operators' Group
Re: Root Zone DNSSEC Deployment Technical Status Update
daemon@ATHENA.MIT.EDU (Chris Adams)
Fri Jul 16 11:32:49 2010
Date: Fri, 16 Jul 2010 10:32:33 -0500
From: Chris Adams <cmadams@hiwaay.net>
To: nanog@nanog.org
Mail-Followup-To: Chris Adams <cmadams@hiwaay.net>, nanog@nanog.org
In-Reply-To: <20100716145315.GA19935@ussenterprise.ufp.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Once upon a time, Leo Bicknell <bicknell@ufp.org> said:
> Perhaps you could explain why the keys are being made available in
> formats that, as far as I can tell, no nameserver software on the
> planet uses? Pretty much 100% of the users will need a conversion
> from one of the 6 formats you provided, when you could have provided
> 6 example configs for the 6 most popular nameserver packages and
> covered 99% of the users with cut and paste.
There aren't 6 formats, there is just one format provided for the
current trust anchor set: XML. A simple XSLT will transform it into any
needed format.
Individual trust anchors (there's only one at the moment) are provided
in two formats: PKCS#10 (for signing) and X509 (signed by ICANN). There
are also detached signatures (in PKCS#7 format for validation against
the ICANN cert bundle and in OpenPGP format) of the XML anchor set file.
This is all in the documentation in the same directory (in plain-text
and HTML formats).
--
Chris Adams <cmadams@hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
