* Paul Hoffman:

> Conservative, yes; operationally prudent, no. This type of thing can
> be pre-tested fairly easily. For example, once .net starts signing,
> make a private signing of root-servers.net and hand it out to
> friends and family and watch for any anomalous results.

This is not sufficient because DNSSEC does not prescribe response
contents, so different (root) servers (instances) will generate
different responses from the same zone data, unless the specification
is tightened considerably.  In particular, such variation affects
response sizes, which used to be a primary concern during the DURZ
phase.

-- 
Florian Weimer                <fwei...@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to