[dns-wg] getting DNSSEC deployed

>>> I very much doubt anyone's going to take responsibility for
>>> signing the root unless they know that, yes DNSSEC really does
>>> work and won't break the internet.
>> bs.  that is not the problem at the root.  it's all layer nine.
> Nobody said this was an issue at the root Randy.

false.  i did.  if the root is not signed, dnssec is an unstabele
and unscalable mess, with disasters for the end users waiting to
happen.

> And whether that's a layer-9 issue or not is irrelevant too

not when you seem to be trying to fix it at layers 3-7.

> this genuine problem -- you'd presumably call it a non-problem --
> has to be resolved somehow.

i consider it a major problem.  and the only solution is getting
iana to sign the root zone.  whether we like it or not, that is the
way dnssec was designed.

> Getting real-world experience of what happens when DNSSEC is
> switched on is part of that process. So the recent moves in
> Sweden are to be commended as a step towards getting that
> experience. I'm disappointed if you don't share that view.

you should be used to me dissapointing you.  after all, i am the
guy publicly blamed for delaying dnssec for years.

isolated deployments of dnssec will have interesting results.  i
eagerly await the results from sweden rolling their key in an
emergency.

and no, lutz, dlv has an unspecified trust model.  and the answers
to the trust model promised in san jose nanog many moons ago have
yet to be given.

randy