In message <20101111193938.gf16...@vacation.karoshi.com.>, bmann...@vacation.ka roshi.com writes: > On Thu, Nov 11, 2010 at 05:03:51AM -0500, Andrew Sullivan wrote: > > Hi all, > > > > The last discussion of signing ROOT-SERVERS.NET involved the arguments > > that there's no real value in signing the zone and that there is a > > non-zero cost to doing so. > > > > I agree with both of those arguments, but I wonder whether it might > > not be a better sales job if we just accepted it maybe ought to be > > signed anyway. I'm aware that it runs against the grain to do > > something purely for theatrical reasons, but sometimes people like a > > good show. Every time this topic comes up (especially outside IETF > > circles, where one can perhaps be expected to understand the detailed > > arguments), a number of people argue that it's really necessary to > > sign the zone, or that having an exception for this sets some kind of > > precedent, or something. I think these discussions waste a lot of > > time, and so as a purely tactical measure it strikes me that we could > > shut down that line of argument by just signing the data. > > > > Thoughts? > > > > A > > Political coordination issues aside, there are some interesting > technical issues here that have to do with the priming query > and response. In the absence of 100% EDNS0 penetration, making > this change will result in priming failuers. In the interests > of security and stability, is this a reasonable tradeoff?
Non-EDNS recursive nameservers won't see anything different. The only one that could fail are those that do EDNS + DO and block large DNS responses and also block outgoing DNS/TCP queries. Mark > --bill > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
