Matt, In general I agree with you that due diligence is required and I would not expect anything different from that, remember how long it take us to include AAAA glues at the root.
On Fri, Aug 22, 2008 at 09:41:21AM -0400, Matt Larson wrote: > On Fri, 22 Aug 2008, Mark Andrews wrote: > > Every machine that is setting DO is asserting that it can > > handle the responses the roots will generate. These are > > the same sorts of response the servers for SE and BR are > > sending. > > I'm not (just) concerned about individual resolvers. I'm concerned > about the system as a whole, end to end. We all know that .SE's > rollout wasn't completely smooth. It wasn't IIS's fault: they did > everything they could for the variables under their control. It was > the other stuff--such as the infamous SOHO router that didn't like > AD--that caused problems. This is news for me in the case of .SE. So far our deployment is completely smooth, besides one SMTP implementation that doesn't support EDNS0, we've seeing no complain from a very large Broad Band installed in base of users. > Now, there's no question that that SOHO router was broken and needs to > be fixed. But magnify this situation to the entire Internet and > imagine the issues. My point is that any course of action for DNSSEC > deployment in the root that doesn't include a lot of due diligence, > including large-scale testing, is reckless and irresponsible. Signing > the root will be the single largest change ever undertaken to the root > zone and, arguably, to the DNS as a whole. We need that to document and push vendors of this products in the right direction but I would stop here. We can't even argue that it's not advisable to deploy new technology because there is a something out there that don't support a specification almost 10 years old. > Please don't mistake any of my comments as a lack of support for > DNSSEC. We do need to get the root signed, and I and the rest of > VeriSign are totally supportive. VeriSign has had a root zone testbed > running for several months, in which we've been signing the root using > the same infrastructure and policies used for our CA operations. (See > http://webroot.verisignlabs.com.) And in our role as root zone > editor, we're ready to sign the production root when asked. > > What disturbs me is that I detect a disturbing drumbeat of "We must > sign the root now--now now NOW!" in discussions in various venues. > Such talk doesn't show prudence but panic. You have all the baggage to take this and know that even if "every one" is saying "sign now now now..." with all the techno-bureocracy that we have at the root this is not something that would be feasible in less than..... let me guess, 24 months from the time L9 issues are sorted out. > Let's sign the root. But let's do it diligently, always keeping in > mind how important the infrastructure is. > > Matt Fred _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
