On Fri, Aug 22, 2008 at 11:53:02AM -0700, David Conrad wrote:
> If you ensure the namespace and authorities are identical between the
> two infrastructures, there are no technical issues (at least that I've
> heard about).
{diving into a detail - the ARPA zone shares its NS RRSet with the root zone
(only one exception), which needs special consideration when you change the
root NS RRSet or the corresponding A/AAAA records.}
{Another detail: the root zone at ns.iana.org announces two root name
servers: ns.iana.org and pch-test.iana.org; however, a resolver can't
successfully be primed from these sources because a respnse to ". NS"
lacks the addresses of both servers -- which is strange because they also
serve ARPA in that version and should only therefore have glue records in
the root zoen (better yet, they'd be stealth servers for iana.org).}
It looks like part of your propsal has been overtaken by events given that
the AAAA introduction for the root name servers went smoothly. Of course that
alone doesn't guarantee the next change will work as well.
How to avoid leakage between the plain and the DNSSEC signed root?
What is the back out strategy?
Actually, there is some practical experience with this from the "AAAA in the
root"
experiment, that indeed used a modified "hints" file.
Most importantly: How do you make sure that the most representative subset
of resolvers do actually opt-in? Since we do not have good models for the
swarm behaviour of the resolver population, both in terms of software
anomalies and query patterns, it is hard to tell that or when you have
reached enough breadth (diversity) in your user community.
Also, it is reasonable to assume that
o the participants would be on the informed side, using well known and
recent software
o for anybody with an "interesting" query volume or pattern, it would
most likely mean switching a production system
> In my experience, all the issues blocking forward motion on this have
> been political. Specifically, one of the concerns has been that a
> separate infrastructure would in some way promote alternate root name
And I'd say this is a serious concern. Also, an experiment is much different
from a migration for technical/operational and layer 9 reasons. The operational
beeing that you'd essentially have to move all the DNSSEC unaware resolvers,
as well - at least in the long run.
-Peter (no hats)
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
