[dns-wg] root zone signing

On Mon, Oct 20, 2008 at 03:50:46PM -0700, David Conrad wrote:
> Bill,
> 
> On Oct 20, 2008, at 11:34 AM, bmanning at vacation.karoshi.com wrote:
> >	perhaps, if one buys into the argument that there is only a
> >	single parent.
> 
> So, just to be clear, you're arguing the root shouldn't be signed and  
> instead each validating resolver operator should harvest DNSKEYs of  
> all zones that are signed?

	no i am not.  i report that the action of harvesting DNSKEYs
	and installing them into a zone purporting to be a parent is
	currently common practice.

	i have said nothing in this thread about the desirability or
	not of having signed zones.  what can be infered is that there
	are and will be many parties claiming to be "the root" and
	there is currently little to distinguish one from the other.

	even if one signs ones TLD, there is zero assurance that only
	a single root will harvest the DNSKEY and install it in their
	version of "the root".

> Couldn't you harvest DNSKEYs regardless of whether the root is signed  
> or not?

	I could (but will not).  Lutz can and does harvest DNSKEYs and
	installs them in the root.  Its just not your version of "the root".
	It's not mine either.  But then, mine is not shared by too many.


> Thanks,
> -drc


Your Welcome,

--bill