At 1:01 PM -0700 8/15/08, David Conrad wrote:
Let me try to (hopefully) more clearly articulate my question: given
the fact that caching servers only care about DNSSEC if they're
explicitly configured to do so, does anyone anticipate any
stability/security concerns to those folks who _haven't_ configured
DNSSEC if the root is signed?
Ah. Better question. My previous answer was for a different question.
If what you really, really mean to ask is "given the fact that
caching servers only care about DNSSEC if they're explicitly
configured to do so, does anyone anticipate any stability/security
concerns to those folks who _don't_ configure DNSSEC if the root is
signed?", then I would say no, I don't see any.
As to your question above: people who _haven't_ configured DNSSEC
_will_ configure DNSSEC after the root is signed due to lots of press
and the general feeling that more security layers are good. If we
don't give those people the right tools to properly configure and
properly maintain those configurations, there will be stability
issues, as I listed earlier.
Sorry to be so picky about this, but this WG in particular is
responsible for giving operational advice for the DNS, and I believe
that there are certain things that will cause more people to have DNS
operational issues. The publicity aftermath to signing the root is
completely predictable, and will greatly increase the number of
resolvers with DNSSEC turned on; it will also greatly increase the
number of resolver operators who need more help in running their
resolvers correctly.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
