This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] .ORG DNSSEC Survey
- Previous message (by thread): [dns-wg] .ORG DNSSEC Survey
- Next message (by thread): [dns-wg] .ORG DNSSEC Survey
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Conrad
drc at virtualized.org
Tue Jun 24 23:47:03 CEST 2008
So, the signed root made available at ns.iana.org is a demonstration/ test service. Originally, the plan was that it was going to be a production-quality signed root with its own set of secondaries that would allow folks who wanted to test DNSSEC in actual use to modify their root hints appropriately and go about their business. As part of this demonstration/test service, I felt it appropriate to require the secondaries for that service to enter into an agreement that would require those secondaries to meet a base service level commitment and (more importantly) to agree to discontinue use when the real root was signed. Some of the existing root server operators whom I contacted to provide secondary service felt this threatened their continued operation of their root servers. They requested the service be made non-production quality, e.g., that IANA would take the service down periodically or otherwise make the service unreliable. I personally thought this would render the service essentially unusable for the purposes of validating caching resolver experimentation/testing as it would mean ISPs who wanted to play couldn't point to the signed root in their customer facing resolvers. Instead, Rick Lamb of IANA added some bogus TLDs with various failure modes (e.g., bad signatures, expired signatures, etc.) In the end, I gave up trying to push the ns.iana.org experiment as I got extremely tired of the root server operator politics. The signed root continues to be provided with a very elaborate and secure signing mechanism, but I wouldn't call the service provided at ns.iana.org production quality. FWIW. Regards, -drc On Jun 24, 2008, at 6:42 PM, Ray.Bellis at nominet.org.uk wrote: >> https://ns.iana.org/dnssec/root.zone.signed > > Does anyone happen to know what all of the "bert" entries are in > there? > > badbert. 180 IN NS NS.XTCN.COM. > fallbert. 180 IN NS NS.XTCN.COM. > goodbert. 180 IN NS NS.XTCN.COM. > lazybert. 180 IN NS NS.XTCN.COM. > > Ray > >
- Previous message (by thread): [dns-wg] .ORG DNSSEC Survey
- Next message (by thread): [dns-wg] .ORG DNSSEC Survey
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]