I agree that if we do not get to a point where validators only have
to configure between one and a handful of trust-anchors and those
trust-anchors get automatically rolled DNSSEC will not reach the
masses.
On the other hand we have to start deploying somewhere.
while i do have sympathy for this, when i consider, or try to
consider, what the trust model and reliability of low-level roll-out
of a hundred or a thousand scattered zones, the mind boggles. as
trust keys require manual maintenance, there will be seemingly random
failures, real fun debugging, ... and the trust won't distribute,
it's SxC.
This is why I suggested starting with trying to get .arpa signed.
Since it's controlled by the IAB, the zone should be free from the
level-9 (and up) issues that infest the root. That would/should mean
a single trust anchor for those who wanted to take part in the first
faltering steps towards DNSSEC deployment. In the context of what the
NCC is proposing, that would mean .arpa signing the KSKs for the
stuff delegated by IANA to the NCC. This has to be better than having
a bunch of trust anchors for each apex under ip6.arpa and in-
addr.arpa -- let's not forget e164.arpa too -- that's managed by the
NCC. We appear to agree that path is less than desirable.
you are here: RIPE -> RIPE Maillists > Archives
