At 6:02 PM +0100 11/13/10, Joao Damas wrote: >I would hope root-servers.net would have its own key and not simply use some >other key that happens to be "lying around". Or did you mean signing of the DS >record for root-servers.net?
Yes, of course. >In any case .net is going to be signed within 6 weeks. I would be surprise if >root-servers.net can get all the rubber stamps in place by then, so not having >.net signed right now is not an argument against starting the root-servers.net >process now. +1 > > A different way to think of this problem is that the registrant of this > > zone, VeriSign, should simply sign the zone just like it does other zones > > it controls, such as verisign.net. It would be hard for VeriSign to claim > > that signing verisign.net is of more security value than signing > > root-servers.net. > > > >the admin contact is the IANA, not Verisign. Indeed, but according to whois, VeriSign is both the registrant and the technical contact. Having said that, it is quite reasonable for the admin contact to decide to sign a zone and ask the parent to publish the keys. --Paul Hoffman, Director --VPN Consortium _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
