About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [dns-wg] DNSSEC Policy Development Process

  • To: "Olaf M. Kolkman" <
    >
  • From: Randy Bush <
    >
  • Date: Tue, 30 Aug 2005 06:09:38 -1000
> I agree that if we do not get to a point where validators only have
> to configure between one and a handful of trust-anchors and those
> trust-anchors get automatically rolled DNSSEC will not reach the
> masses.
> 
> On the other hand we have to start deploying somewhere.

while i do have sympathy for this, when i consider, or try to
consider, what the trust model and reliability of low-level roll-out
of a hundred or a thousand scattered zones, the mind boggles.  as
trust keys require manual maintenance, there will be seemingly random
failures, real fun debugging, ...  and the trust won't distribute,
it's SxC.

hence, i think of it as more operational practice than deployment.
testing whether folk can configure servers and clients, and
reconfigure them, and debug them, and ...  in a sense, this is a good
thing.  in another sense, it is expensive at a time when we are not
rich.

randy
Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community