Re: [dns-wg] DNSSEC Policy Development Process

[Jim Reid <]

On Aug 26, 2005, at 21:26, Randy Bush wrote:
> > > In principle IAB could sign .arpa tomorrow, assuming someone was  
> > > able
> > > and willing to hold its KSKs.
> > Don't forget "in-addr.arpa." and "ip6.arpa." - they delegate some of
> > NCC's zones.
> and don't forget that this does not scale.
Randy, you've confused me. What aspect of DNSSEC specifically "does  
not scale"? Do you mean having everyone embed trust anchors in their  
name server configurations for every signed TLD while we wait for the  
root to be signed? If so, I agree that's not scalable. But that's not  
what was under discussion here. At least I hope it wasn't.

> manual coordination to maintain trusted keys for 292 tlds just
> does not work.  and that assumes that the tlds are signed, not
> counting all the thrid and ninth level zones that make noise
> when the zones above them are not signed.
I raised the prospect of getting .arpa signed, not 292 tlds. If this  
was done, there would be one trust anchor for infrastructure zones  
and that should simplify things in the context of the NCC's proposals  
for deploying DNSSEC. Perhaps that might help the other RIRs to  
follow the NCC's lead. It should also allow us to get operational  
experience in handling keying material, signing policies and so on  
that could inform the discussion on getting the root signed. ie Once  
the layer-9 stuff about that stopped (if it ever will), the lessons  
learned from gradually deploying DNSSEC in .arpa could provide a  
valuable knowledge base of practical experience to draw on.

> this does not fly until the root is signed.  and that does not
> fly until there is a key management plan and technology for it.
Well yes. But somebody has to start somewhere. IMO signing .arpa  
could/should be a stepping stone towards that goal.

Please note these are my personal opinions and the usual disclaimers  
apply.