At 1:49 PM -0500 11/11/10, Matt Larson wrote: >On Thu, 11 Nov 2010, Andrew Sullivan wrote: >> I think these discussions waste a lot of time, and so as a purely >> tactical measure it strikes me that we could shut down that line of >> argument by just signing the data. > >So we should alter critical infrastructure to stifle argument and, by >extension, for "optics"? That's no way to run a railroad.
...says the man who participates in video-taped key signing ceremonies with people flying in from all over the world to stand near opaque boxes. :-) >The effort of signing root-servers.net is non-trivial and will involve >layer nine. (Change authorization for this zone rests with the >U.S. DoC NTIA, the same as the root zone.) The request for signing the zone is a one-time thing, even if the zone changes. You don't need new permission to sign each TLD when the information changes, do you? >Further, we just got the >root signed not even six months ago and more big DNSSEC changes are >still to come: a signed .net is right around the corner and a signed >.com is coming early next year. How long do you feel that each signing action needs to take to test in the wild? Measurements would help here. >If there is desire to change critical infrastructure that's part of a >system that we're still getting operational experience with, the >justification needs to be better than "let's just do it". Andrew gave that justification. >Let's have >a discussion of the merits, but, speaking on behalf of one of the >organizations that operates the root zone infrastructure, I am opposed >to signing root-servers.net any time within at least the next year. >That's simply the conservative, operationally prudent course of >action. Conservative, yes; operationally prudent, no. This type of thing can be pre-tested fairly easily. For example, once .net starts signing, make a private signing of root-servers.net and hand it out to friends and family and watch for any anomalous results. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
