[dns-operations] .com/.net DNSSEC operational message
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Fri Oct 29 19:03:14 UTC 2010
On Fri, Oct 29, 2010 at 02:49:41PM -0400, Joe Abley wrote:
>
> On 2010-10-29, at 14:45, bmanning at vacation.karoshi.com wrote:
>
> > Its mildly amusing to read your arguments against deploying DNSSEC signed zones.
>
> To be fair, (a) I was trying to summarise arguments made by a number of people, and (b) I'm talking about one very specific zone, not zones in general.
... for the want of a nail ... :) is there any good reason to NOT sign it?
>
> > While you might be right - that a validator with a TA for "a" root zone is not
> > going to beleive answers from an out-of-baliwick root server, (DNSSEC with BIND 'views'?)
> > it is conceiveable that there -might- be folk with at TA for NET or ROOT-SERVERS.NET.
> >
> > Again, I encourage the folks who have the operational control of those zones
> > to sign them.
>
> There's an assessment to be made of benefit vs. risk in this, as with all things.
this is the second time I've heard the beginings of justification for not signing
the whole tree. it can be a compelling argument - but kind of leaves open the
question about "islands of trust" and the requirement to be able to support
multiple Trust Anchors et.al.
> I'm not arguing that ROOT-SERVERS.NET should not be signed, but rather relating a lack of identified benefit. As with all operational changes, there is non-zero cost/risk in doing so. It seems only reasonable to identify a clear benefit before deciding to make a change.
Turning your question on its head, whats the benefit in NOT signing the zone?
As to risk, your earlier missive suggests the risk is low, as to cost, the parties
have already sunk cost in deploying signing infrastructure, one small zone is
going to be inconsiquental.
--bill
>
>
> Joe
More information about the dns-operations
mailing list