[dns-operations] Online DNSSEC debugging tool now availalbe

Andrew Sullivan ajs at shinkuro.com
Sun Jul 18 03:30:22 UTC 2010


On 2010-07-17, at 22:45, Randy Bush <randy at psg.com> wrote:

> odd that the .org registry, after a year+ of marketing noise, seems not
> to have registered their DS in time under well documented procedure.

Why is this odd?  Early deployers (especially those who started before it was clear the root would ever be signed) have to do a lot of analysis and thinking before deciding how to deal with the possible effects of the DS in the parent, particularly in light of the (IMO, wrong) trust-closest-key rule so widely deployed. I don't know that I wouldn't have sent the DS to the root if I'd been in PIR's position, but we needn't be snide and suggest this was a no-brainer.  Different competent operators may come to different conclusions in the face of the same evidence. 

A
-- 
Andrew Sullivan
<ajs at shinkuro.com>


More information about the dns-operations mailing list