About RIPE | Contact  | Search | Sitemap    
Homepage RIPE  
RIPE Community Mail Archives
search  
     
Next Sectionyou are here: RIPE -> RIPE Maillists > Archives
RIPE Navigation Ends
About RIPE Maillists
Maillists Archive
Global Lists
Non Active Lists
RIPE NCC Navigation Ends
Next Section
<<< Chronological >>> Author Index    Subject Index <<< Threads >>>

Re: [dns-wg] .ORG DNSSEC Survey

  • To: Ray.Bellis@localhost
  • From: David Conrad drc@localhost
  • Date: Tue, 24 Jun 2008 23:47:03 +0200
So, the signed root made available at ns.iana.org is a demonstration/ test service.
Originally, the plan was that it was going to be a production-quality signed root with its own set of secondaries that would allow folks who wanted to test DNSSEC in actual use to modify their root hints appropriately and go about their business.
As part of this demonstration/test service, I felt it appropriate to require the secondaries for that service to enter into an agreement that would require those secondaries to meet a base service level commitment and (more importantly) to agree to discontinue use when the real root was signed.
Some of the existing root server operators whom I contacted to provide secondary service felt this threatened their continued operation of their root servers. They requested the service be made non-production quality, e.g., that IANA would take the service down periodically or otherwise make the service unreliable. I personally thought this would render the service essentially unusable for the purposes of validating caching resolver experimentation/testing as it would mean ISPs who wanted to play couldn't point to the signed root in their customer facing resolvers.
Instead, Rick Lamb of IANA added some bogus TLDs with various failure modes (e.g., bad signatures, expired signatures, etc.)
In the end, I gave up trying to push the ns.iana.org experiment as I got extremely tired of the root server operator politics. The signed root continues to be provided with a very elaborate and secure signing mechanism, but I wouldn't call the service provided at ns.iana.org production quality. 

FWIW.

Regards,
-drc

On Jun 24, 2008, at 6:42 PM, Ray.Bellis@localhost wrote:

https://ns.iana.org/dnssec/root.zone.signed
Does anyone happen to know what all of the "bert" entries are in there? 

badbert.                180     IN NS   NS.XTCN.COM.
fallbert.               180     IN NS   NS.XTCN.COM.
goodbert.               180     IN NS   NS.XTCN.COM.
lazybert.               180     IN NS   NS.XTCN.COM.

Ray
Post To The List:

Replies

Message References

<<< Chronological >>> Author    Subject <<< Threads >>>
 

Next Section
     About RIPE | Site Map | LIR Portal | About the RIPE NCC | Contact | © RIPE Community. All rights reserved.
RIPE.NET Homepage LIR Portal RIPE Community