[dns-operations] Racing to DNSSEC was Re: Online DNSSEC debugging tool now availalbe
Ed.Lewis at neustar.biz
Sun Jul 18 17:11:46 UTC 2010
At 17:54 +0200 7/18/10, Patrik Fältström wrote:
>On 18 jul 2010, at 17.37, Edward Lewis wrote:
>> I can think of a number of reasons why not to
>>have the DS record in the root zone right now.
>Can you mention some? I would like to know what you have in mind.
"One step at a time" is the first that comes to
mind. Changing the nature of the root zone now,
changing the nature of the delegation to the TLD
next is smoother to me than bring it all up at
once. For years DNSSEC deployment preached that
a full tree was unnecessary, "islands of
security" were anticipated. Piecemeal transition
is not a bad thing, and it is what has been
anticipated all along.
The overall stability of DNS software is less now
that it has historically been due to the new code
paths written for DNSSEC. I.e., no one
(authoritative or more importantly recursive) can
be running 5 year-old code and handle RSA/SHA256
or NSEC3. I cannot say I have full confidence in
what's out there.
If the root zone goes belly up, everything does.
But if the root zone only goes belly up for
DNSSEC, and the TLDs aren't chained, things will
In the scheme of things, I fail to see much
importance on having a TLD's DS appear in either
July or August. This isn't a reason per se to
not submit a DS record, but, it fails to make me
think the reward of the risk-vs-reward equation
tips favorable towards submission right now.
A month from now, more or less, might be all the
time I'd wait. I am not thinking "years."
NeuStar You can leave a voice message at +1-571-434-5468
Spouses, like Internet protocols, lack necessary troubleshooting tools. Sigh.
More information about the dns-operations