On Thu, Nov 11, 2010 at 05:03:51AM -0500, Andrew Sullivan wrote:
> Hi all,
>
> The last discussion of signing ROOT-SERVERS.NET involved the arguments
> that there's no real value in signing the zone and that there is a
> non-zero cost to doing so.
>
> I agree with both of those arguments, but I wonder whether it might
> not be a better sales job if we just accepted it maybe ought to be
> signed anyway. I'm aware that it runs against the grain to do
> something purely for theatrical reasons, but sometimes people like a
> good show. Every time this topic comes up (especially outside IETF
> circles, where one can perhaps be expected to understand the detailed
> arguments), a number of people argue that it's really necessary to
> sign the zone, or that having an exception for this sets some kind of
> precedent, or something. I think these discussions waste a lot of
> time, and so as a purely tactical measure it strikes me that we could
> shut down that line of argument by just signing the data.
>
> Thoughts?
>
> A
Political coordination issues aside, there are some interesting
technical issues here that have to do with the priming query
and response. In the absence of 100% EDNS0 penetration, making
this change will result in priming failuers. In the interests
of security and stability, is this a reasonable tradeoff?
--bill
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
