On Fri, Aug 15, 2008 at 11:29:13AM -0700, David Conrad wrote: > Hi, > > On Aug 15, 2008, at 9:15 AM, Ted Lemon wrote: > >But until we have root and .com signed, and until the average end- > >user is protected by a validating resolver, we aren't done yet, and > >I don't really get any actual benefit from my efforts. Which, > >tragically, is why it's taking so long. > > There are people who appear to think deploying DNSSEC as soon as > possible would be a good thing. There are also people who appear to > think deploying DNSSEC is a fools errand, that it won't get > significant use because it makes things too hard, too complicated, too > prone to failure, etc. > > However, because of DO, folks who don't configure their resolvers to > do DNSSEC shouldn't ever see any DNSSEC goop. > > Given this, does anyone see any DNS security and/or stability concerns > if a miracle were to happen and the root were to be signed tomorrow?
Having signed a large delegation centric zone and as expected not seeing any security/stability issue for a significant amount of time I would say NO. > That is, if you don't care about DNSSEC, do you think it would be > bad(tm) if the root were to be signed (for the sake of argument, > ignore the time waste, administrative overhead, etc. associated with > DNSSEC-signing)? If so, why? Ok, I do care but the answer is still NO. Besides the large amount of statements accusing if of being a pig-protocol it is really well thought on incremental deployment for clients. > Thanks, > -drc Fred _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
