On Mon, 8 Mar 2010, Joe Abley wrote: > On 2010-03-08, at 11:18, Tony Finch wrote: > > On Mon, 8 Mar 2010, Joe Abley wrote: > >> > > > >> - signing ROOT-SERVERS.NET would result in potentially-harmful large > >> responses with no increase in security > > > > Can't you deal with this by omitting the root-servers.net RRSIGs from the > > additional section of responses to queries to the root? > > Are you suggesting that we implement a coordinated code change to all > root servers in the name of security or stability?
I suppose it was more a protocol / implementation question, along the lines of BIND's minimal-responses option. > Diversity in operation and code base is usually thought to be a strength > of the root server system. Yes, but I'm not sure how that has any bearing on the question. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS. MODERATE OR GOOD. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
