This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] DNSSEC Policy Development Process

Previous message (by thread): [dns-wg] DNSSEC Policy Development Process
Next message (by thread): [dns-wg] DNSSEC Policy Development Process

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Randy Bush randy at psg.com
Tue Aug 30 18:09:38 CEST 2005

> I agree that if we do not get to a point where validators only have
> to configure between one and a handful of trust-anchors and those
> trust-anchors get automatically rolled DNSSEC will not reach the
> masses.
> 
> On the other hand we have to start deploying somewhere.

while i do have sympathy for this, when i consider, or try to
consider, what the trust model and reliability of low-level roll-out
of a hundred or a thousand scattered zones, the mind boggles.  as
trust keys require manual maintenance, there will be seemingly random
failures, real fun debugging, ...  and the trust won't distribute,
it's SxC.

hence, i think of it as more operational practice than deployment.
testing whether folk can configure servers and clients, and
reconfigure them, and debug them, and ...  in a sense, this is a good
thing.  in another sense, it is expensive at a time when we are not
rich.

randy

Previous message (by thread): [dns-wg] DNSSEC Policy Development Process
Next message (by thread): [dns-wg] DNSSEC Policy Development Process

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]