This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] .ORG DNSSEC Survey

Previous message (by thread): [dns-wg] .ORG DNSSEC Survey
Next message (by thread): [dns-wg] .ORG DNSSEC Survey

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Conrad drc at virtualized.org
Tue Jun 24 23:47:03 CEST 2008

So, the signed root made available at ns.iana.org is a demonstration/ 
test service.

Originally, the plan was that it was going to be a production-quality  
signed root with its own set of secondaries that would allow folks who  
wanted to test DNSSEC in actual use to modify their root hints  
appropriately and go about their business.

As part of this demonstration/test service, I felt it appropriate to  
require the secondaries for that service to enter into an agreement  
that would require those secondaries to meet a base service level  
commitment and (more importantly) to agree to discontinue use when the  
real root was signed.

Some of the existing root server operators whom I contacted to provide  
secondary service felt this threatened their continued operation of  
their root servers.  They requested the service be made non-production  
quality, e.g., that IANA would take the service down periodically or  
otherwise make the service unreliable.  I personally thought this  
would render the service essentially unusable for the purposes of  
validating caching resolver experimentation/testing as it would mean  
ISPs who wanted to play couldn't point to the signed root in their  
customer facing resolvers.

Instead, Rick Lamb of IANA added some bogus TLDs with various failure  
modes (e.g., bad signatures, expired signatures, etc.)

In the end, I gave up trying to push the ns.iana.org experiment as I  
got extremely tired of the root server operator politics.  The signed  
root continues to be provided with a very elaborate and secure signing  
mechanism, but I wouldn't call the service provided at ns.iana.org  
production quality.

FWIW.

Regards,
-drc

On Jun 24, 2008, at 6:42 PM, Ray.Bellis at nominet.org.uk wrote:
>> https://ns.iana.org/dnssec/root.zone.signed
>
> Does anyone happen to know what all of the "bert" entries are in  
> there?
>
> badbert.                180     IN NS   NS.XTCN.COM.
> fallbert.               180     IN NS   NS.XTCN.COM.
> goodbert.               180     IN NS   NS.XTCN.COM.
> lazybert.               180     IN NS   NS.XTCN.COM.
>
> Ray
>
>

Previous message (by thread): [dns-wg] .ORG DNSSEC Survey
Next message (by thread): [dns-wg] .ORG DNSSEC Survey

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]