[dns-wg] root zone signing
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Tue Oct 21 00:59:01 CEST 2008
On Mon, Oct 20, 2008 at 03:50:46PM -0700, David Conrad wrote: > Bill, > > On Oct 20, 2008, at 11:34 AM, bmanning at vacation.karoshi.com wrote: > > perhaps, if one buys into the argument that there is only a > > single parent. > > So, just to be clear, you're arguing the root shouldn't be signed and > instead each validating resolver operator should harvest DNSKEYs of > all zones that are signed? no i am not. i report that the action of harvesting DNSKEYs and installing them into a zone purporting to be a parent is currently common practice. i have said nothing in this thread about the desirability or not of having signed zones. what can be infered is that there are and will be many parties claiming to be "the root" and there is currently little to distinguish one from the other. even if one signs ones TLD, there is zero assurance that only a single root will harvest the DNSKEY and install it in their version of "the root". > Couldn't you harvest DNSKEYs regardless of whether the root is signed > or not? I could (but will not). Lutz can and does harvest DNSKEYs and installs them in the root. Its just not your version of "the root". It's not mine either. But then, mine is not shared by too many. > Thanks, > -drc Your Welcome, --bill
- Previous message (by thread): [dns-wg] root zone signing
- Next message (by thread): [dns-wg] root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]