At 12:34 PM -0800 11/12/10, David Conrad wrote: >To me, It doesn't make a whole lot of sense to sign root-servers.net before >.net is signed. As long as there is commitment from relevant parties that >root-servers.net will be signed within some fixed timeframe after .net is >signed, I'd be satisfied. But that's just me...
I didn't hear anyone asking for root-servers.net to be signed before .net is signed; it's kind of hard to sign a zone before its parent is, unless you are going to sign with a super-parent. To me, it would make more sense to sign root-servers.net with the .net key, not the root key. A different way to think of this problem is that the registrant of this zone, VeriSign, should simply sign the zone just like it does other zones it controls, such as verisign.net. It would be hard for VeriSign to claim that signing verisign.net is of more security value than signing root-servers.net. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
