[dns-operations] .com/.net DNSSEC operational message
Joe Abley
jabley at hopcount.ca
Fri Oct 29 18:49:41 UTC 2010
On 2010-10-29, at 14:45, bmanning at vacation.karoshi.com wrote:
> Its mildly amusing to read your arguments against deploying DNSSEC signed zones.
To be fair, (a) I was trying to summarise arguments made by a number of people, and (b) I'm talking about one very specific zone, not zones in general.
> While you might be right - that a validator with a TA for "a" root zone is not
> going to beleive answers from an out-of-baliwick root server, (DNSSEC with BIND 'views'?)
> it is conceiveable that there -might- be folk with at TA for NET or ROOT-SERVERS.NET.
>
> Again, I encourage the folks who have the operational control of those zones
> to sign them.
There's an assessment to be made of benefit vs. risk in this, as with all things.
I'm not arguing that ROOT-SERVERS.NET should not be signed, but rather relating a lack of identified benefit. As with all operational changes, there is non-zero cost/risk in doing so. It seems only reasonable to identify a clear benefit before deciding to make a change.
Joe
More information about the dns-operations
mailing list