[dns-wg] getting DNSSEC deployed
- Previous message (by thread): [dns-wg] getting DNSSEC deployed
- Next message (by thread): [dns-wg] getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Olaf M. Kolkman
olaf at NLnetLabs.nl
Wed Feb 14 22:38:14 CET 2007
On 14Feb 2007, at 9:11 PM, Lutz Donnerhacke wrote: > * David Conrad wrote: >> On Feb 14, 2007, at 9:37 AM, Lutz Donnerhacke wrote: >>> I do trust my DLV data. I offer it to others. >> >> And how do I trust the DLV registry you use? > > You can't without knowing me. So, there you go.. remember what Randy just said: > if the root is not signed, dnssec is an unstabele > and unscalable mess, I am not a firm believer in DLV but I think it will allow the early deployers to familiarize themselves with the DNSSEC operational space. But, life for the masses, as opposed to early deployers, will only be good once: - The root is signed - Automated trust anchor rollover works (work on that finished in DNSEXT and is now at IESG level) - A fair amount of TLDs is signed Until then we will have to live with kludges like DLV. Now I appreciate Lutz' offer but I think that the more DLV registries will pop up the more confusion and troubleshooting hell will be created simply because users of different DLVs will have a different view on the namespace. Note however that now, for folk who configure their nameservers to use a DLV registry things will not be radically different operationally than in the case of a signed root; they configure one trust anchor, and off they fly. So as long as the root is not signed I hope that people will converge to using[*] one DLV registry and I also hope that the layer 9 stuff surrounding a signed root is being dealt in an appropriate time window. (Neill just suggested one :-) ) . --Olaf [*] where using in this case means: take a leap of faith and put your trust in a particular DLV registry. PS I appreciate the announcement about a validating recursive nameserver being turned on in some big IESP but I hope that will not become a trend ;-) ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 227 bytes Desc: This is a digitally signed message part URL: <https://lists.ripe.net/ripe/mail/archives/dns-wg/attachments/20070214/c2779aff/attachment.sig>
- Previous message (by thread): [dns-wg] getting DNSSEC deployed
- Next message (by thread): [dns-wg] getting DNSSEC deployed
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]