At 9:38 AM -0500 3/8/10, Joe Abley wrote: >I also find Jim's point regarding NET rather compelling. If the NET zone is >not signed, then validating responses from a signed ROOT-SERVERS.NET zone >would require yet another trust anchor to be manually-configured.
...and to manually be removed in the future when the keys for root-servers.net are rolled. For bonus points, imagine the consequences of that happening after .net is signed. This list is DNSOP, not DNSEXT: we are tasked with thinking about the operational aspects of both doing and undoing a particular action, and the effects on the DNS for when that doing and undoing happens incorrectly. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
