* Paul Hoffman: > Conservative, yes; operationally prudent, no. This type of thing can > be pre-tested fairly easily. For example, once .net starts signing, > make a private signing of root-servers.net and hand it out to > friends and family and watch for any anomalous results.
This is not sufficient because DNSSEC does not prescribe response contents, so different (root) servers (instances) will generate different responses from the same zone data, unless the specification is tightened considerably. In particular, such variation affects response sizes, which used to be a primary concern during the DURZ phase. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop