[dns-operations] Racing to DNSSEC was Re: Online DNSSEC debugging tool now availalbe

Edward Lewis Ed.Lewis at neustar.biz
Sun Jul 18 17:11:46 UTC 2010

At 17:54 +0200 7/18/10, Patrik Fältström wrote:
>On 18 jul 2010, at 17.37, Edward Lewis wrote:
>>  I can think of a number of reasons why not to 
>>have the DS record in the root zone right now.
>Can you mention some? I would like to know what you have in mind.

"One step at a time" is the first that comes to 
mind.  Changing the nature of the root zone now, 
changing the nature of the delegation to the TLD 
next is smoother to me than bring it all up at 
once.  For years DNSSEC deployment preached that 
a full tree was unnecessary, "islands of 
security" were anticipated.  Piecemeal transition 
is not a bad thing, and it is what has been 
anticipated all along.

The overall stability of DNS software is less now 
that it has historically been due to the new code 
paths written for DNSSEC.  I.e., no one 
(authoritative or more importantly recursive) can 
be running 5 year-old code and handle RSA/SHA256 
or NSEC3.  I cannot say I have full confidence in 
what's out there.

If the root zone goes belly up, everything does. 
But if the root zone only goes belly up for 
DNSSEC, and the TLDs aren't chained, things will 
work out.

In the scheme of things, I fail to see much 
importance on having a TLD's DS appear in either 
July or August.  This isn't a reason per se to 
not submit a DS record, but, it fails to make me 
think the reward of the risk-vs-reward equation 
tips favorable towards submission right now.

A month from now, more or less, might be all the 
time I'd wait.  I am not thinking "years."
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.

More information about the dns-operations mailing list