On 13 Nov 2010, at 00:17, Paul Hoffman wrote: > At 12:34 PM -0800 11/12/10, David Conrad wrote: >> To me, It doesn't make a whole lot of sense to sign root-servers.net before >> .net is signed. As long as there is commitment from relevant parties that >> root-servers.net will be signed within some fixed timeframe after .net is >> signed, I'd be satisfied. But that's just me... > > I didn't hear anyone asking for root-servers.net to be signed before .net is > signed; it's kind of hard to sign a zone before its parent is, unless you are > going to sign with a super-parent. To me, it would make more sense to sign > root-servers.net with the .net key, not the root key.
I would hope root-servers.net would have its own key and not simply use some other key that happens to be "lying around". Or did you mean signing of the DS record for root-servers.net? In any case .net is going to be signed within 6 weeks. I would be surprise if root-servers.net can get all the rubber stamps in place by then, so not having .net signed right now is not an argument against starting the root-servers.net process now. > > A different way to think of this problem is that the registrant of this zone, > VeriSign, should simply sign the zone just like it does other zones it > controls, such as verisign.net. It would be hard for VeriSign to claim that > signing verisign.net is of more security value than signing root-servers.net. > the admin contact is the IANA, not Verisign. Joao _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
