Wiki source for dnssecds
======TLD DS Distribution======
There will be two problems discussed here. Getting the root DS key out in a secure and on time manner. Securely receving DS's from TLDs. These problems sounds simple to solve, but their actually not. Distributing the DS keys is easy, but ensuring the people receving the keys can trust them is not. We need to ensure both keys sent and received are trustworthy. This comes down to GPG and the web of trust ideals.
===Root DS Distribution===
We've had a few ideas for ways we can distribute the root DS keys, they've all been listed on the project page.
==GPG==
Making the DS key available for download on some webspace would allow easy download access. This key could then be GPG verified via a quick TXT DNS lookup for the GPG sig.
==HTTPS==
Making the DS available on a HTTPS server, so the end user can trust the SSL cert. This idea would require the creation of an OpenNIC CA server. Not a bad idea, as the CA is on our task list already.
===TLD DS Receving===
We also need a solution to get the DS keys from TLDs. I have only one idea for this so far which came from Brianko.
==RSYNC==
TLDs can be given an SSH-Key to utilise rsync via ssh. This will ensure one level of trust from the TLD admins. The next level of trust will be GPG verification of the transferred key. If a key is not verified it will not be included in the root. This will not assist lazy admins, but it needs to be done.
There will be two problems discussed here. Getting the root DS key out in a secure and on time manner. Securely receving DS's from TLDs. These problems sounds simple to solve, but their actually not. Distributing the DS keys is easy, but ensuring the people receving the keys can trust them is not. We need to ensure both keys sent and received are trustworthy. This comes down to GPG and the web of trust ideals.
===Root DS Distribution===
We've had a few ideas for ways we can distribute the root DS keys, they've all been listed on the project page.
==GPG==
Making the DS key available for download on some webspace would allow easy download access. This key could then be GPG verified via a quick TXT DNS lookup for the GPG sig.
==HTTPS==
Making the DS available on a HTTPS server, so the end user can trust the SSL cert. This idea would require the creation of an OpenNIC CA server. Not a bad idea, as the CA is on our task list already.
===TLD DS Receving===
We also need a solution to get the DS keys from TLDs. I have only one idea for this so far which came from Brianko.
==RSYNC==
TLDs can be given an SSH-Key to utilise rsync via ssh. This will ensure one level of trust from the TLD admins. The next level of trust will be GPG verification of the transferred key. If a key is not verified it will not be included in the root. This will not assist lazy admins, but it needs to be done.
