[dns-operations] Online DNSSEC debugging tool now availalbe

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Sun Jul 18 05:15:37 UTC 2010


On Sat, Jul 17, 2010 at 11:30:22PM -0400, Andrew Sullivan wrote:
> 
> On 2010-07-17, at 22:45, Randy Bush <randy at psg.com> wrote:
> 
> > odd that the .org registry, after a year+ of marketing noise, seems not
> > to have registered their DS in time under well documented procedure.
> 
> Why is this odd?  Early deployers (especially those who started before it was clear the root would ever be signed) have to do a lot of analysis and thinking before deciding how to deal with the possible effects of the DS in the parent, particularly in light of the (IMO, wrong) trust-closest-key rule so widely deployed. I don't know that I wouldn't have sent the DS to the root if I'd been in PIR's position, but we needn't be snide and suggest this was a no-brainer.  Different competent operators may come to different conclusions in the face of the same evidence. 
> 

	I guess the reason that you think that trusting the closest enclosing key is wrong
	is that we may have some divergent views on the use of the term "closest"...
	Are you thinking that its wrong to trust a key closest to the validator or closest to
	the root?

--bill


> A
> -- 
> Andrew Sullivan
> <ajs at shinkuro.com>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations



More information about the dns-operations mailing list