Hi, On Aug 15, 2008, at 9:15 AM, Ted Lemon wrote:
But until we have root and .com signed, and until the average end- user is protected by a validating resolver, we aren't done yet, and I don't really get any actual benefit from my efforts. Which, tragically, is why it's taking so long.
There are people who appear to think deploying DNSSEC as soon as possible would be a good thing. There are also people who appear to think deploying DNSSEC is a fools errand, that it won't get significant use because it makes things too hard, too complicated, too prone to failure, etc.
However, because of DO, folks who don't configure their resolvers to do DNSSEC shouldn't ever see any DNSSEC goop.
Given this, does anyone see any DNS security and/or stability concerns if a miracle were to happen and the root were to be signed tomorrow?
That is, if you don't care about DNSSEC, do you think it would be bad(tm) if the root were to be signed (for the sake of argument, ignore the time waste, administrative overhead, etc. associated with DNSSEC-signing)? If so, why?
Thanks, -drc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
