This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] getting DNSSEC deployed
- Previous message (by thread): [dns-wg] getting DNSSEC deployed
- Next message (by thread): [dns-wg] getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Olaf M. Kolkman
olaf at NLnetLabs.nl
Wed Feb 14 22:38:14 CET 2007
On 14Feb 2007, at 9:11 PM, Lutz Donnerhacke wrote: > * David Conrad wrote: >> On Feb 14, 2007, at 9:37 AM, Lutz Donnerhacke wrote: >>> I do trust my DLV data. I offer it to others. >> >> And how do I trust the DLV registry you use? > > You can't without knowing me. So, there you go.. remember what Randy just said: > if the root is not signed, dnssec is an unstabele > and unscalable mess, I am not a firm believer in DLV but I think it will allow the early deployers to familiarize themselves with the DNSSEC operational space. But, life for the masses, as opposed to early deployers, will only be good once: - The root is signed - Automated trust anchor rollover works (work on that finished in DNSEXT and is now at IESG level) - A fair amount of TLDs is signed Until then we will have to live with kludges like DLV. Now I appreciate Lutz' offer but I think that the more DLV registries will pop up the more confusion and troubleshooting hell will be created simply because users of different DLVs will have a different view on the namespace. Note however that now, for folk who configure their nameservers to use a DLV registry things will not be radically different operationally than in the case of a signed root; they configure one trust anchor, and off they fly. So as long as the root is not signed I hope that people will converge to using[*] one DLV registry and I also hope that the layer 9 stuff surrounding a signed root is being dealt in an appropriate time window. (Neill just suggested one :-) ) . --Olaf [*] where using in this case means: take a leap of faith and put your trust in a particular DLV registry. PS I appreciate the announcement about a validating recursive nameserver being turned on in some big IESP but I hope that will not become a trend ;-) ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 227 bytes Desc: This is a digitally signed message part URL: </ripe/mail/archives/dns-wg/attachments/20070214/c2779aff/attachment.sig>
- Previous message (by thread): [dns-wg] getting DNSSEC deployed
- Next message (by thread): [dns-wg] getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]