On Aug 22, 2008, at 6:41 AM, Matt Larson wrote:
What disturbs me is that I detect a disturbing drumbeat of "We must
sign the root now--now now NOW!" in discussions in various venues.
Such talk doesn't show prudence but panic.
Let's sign the root. But let's do it diligently, always keeping in
mind how important the infrastructure is.
To put it another way, if we create a new root that is the DNSSEC
root, and it is capable of handling the same traffic that the current
root handles, then we can do a staged transition to the new root.
Not being a serious DNS geek, I'm sure that there are dragons waiting
in this approach, but don't know what they are.
Nevertheless, this is the way to do a switchover if it's possible.
That way people who care migrate and learn. There is no flag day,
and the people who are most willing to deal with trouble go first,
saving trouble for the rest. Eventually you can get to the point
where you can say "look, we're going to power the old infrastructure
off in two years, please start migrating now."
But as I say, I'm not sure this is possible, at any layer.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
