About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [dns-wg] DNSSEC Policy Development Process

  • To: Randy Bush <
    >
  • From: "Olaf M. Kolkman" <
    >
  • Date: Tue, 30 Aug 2005 09:58:58 +0200
  • Cc: Jim Reid <
    >, 
Just extracting one sentence out of Randy's e-mail:


no.  you just want me to hold the trust keys for the zones you
think are important.  and, in today's email (for some value of
'today'), brett warns us that he has a handful of third level
zones he thinks are important enough.

hence "does not scale."

RIPE NCC thinks it is important enough to sign the zones. If any of these handful of third level zones is not important enough for your operations to go through the trouble of validating then you do not need to configure them; During early deployment of DNSSEC, there is a burden for the validating clients.

I agree that if we do not get to a point where validators only have to configure between one and a handful of trust-anchors and those trust-anchors get automatically rolled DNSSEC will not reach the masses.

On the other hand we have to start deploying somewhere.

Olaf Kolkman


PS: The IETF DNSEXT group has a work item on automatic key-rollover; work is progressing slowly.




Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community