[dns-wg] DNSSEC Policy Development Process
- Previous message (by thread): [dns-wg] DNSSEC Policy Development Process
- Next message (by thread): [dns-wg] DNSSEC Policy Development Process
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Randy Bush
randy at psg.com
Tue Aug 30 18:09:38 CEST 2005
> I agree that if we do not get to a point where validators only have > to configure between one and a handful of trust-anchors and those > trust-anchors get automatically rolled DNSSEC will not reach the > masses. > > On the other hand we have to start deploying somewhere. while i do have sympathy for this, when i consider, or try to consider, what the trust model and reliability of low-level roll-out of a hundred or a thousand scattered zones, the mind boggles. as trust keys require manual maintenance, there will be seemingly random failures, real fun debugging, ... and the trust won't distribute, it's SxC. hence, i think of it as more operational practice than deployment. testing whether folk can configure servers and clients, and reconfigure them, and debug them, and ... in a sense, this is a good thing. in another sense, it is expensive at a time when we are not rich. randy
- Previous message (by thread): [dns-wg] DNSSEC Policy Development Process
- Next message (by thread): [dns-wg] DNSSEC Policy Development Process
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]