At 13:19 -0500 1/13/10, Olafur Gudmundsson wrote:
The benefit is that a single query can retrieve the signed root NS set
and all the signed glue records.
I am not certain that the cost of doing TCP for this is worth the
benefit of getting a signed priming response. I agree with section
2.4 - no DO bit.
What does a DNSSEC-protected priming query gain you?
Accepting any old priming query and having a root SEP configured, if
the query is right all things work. If the query is wrong/forged you
won't get anywhere any how. (Without going into the weeds here -
what if one IP address were forged, what if it were 6, 16, or all of
them?)
(13 name servers => 13 A records + 7 AAAA records last check)
Besides the warm and fuzzy feeling, what do you gain? (Keep in mind
all of the TCP traffic it would take to get warm and fuzzy.)
At 16:05 -0500 1/13/10, Olafur Gudmundsson wrote:
Why not ask for signatures ?
Same reason it is no longer fashionable to include keys in signed
responses - signatures are a big load. Yes, you'll know sooner if a
server's IP address is a problem, but you'd figure it out before it
mattered anyway (if you ever use that server).
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar You can leave a voice message at +1-571-434-5468
As with IPv6, the problem with the deployment of frictionless surfaces is
that they're not getting traction.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
