On Jul 7, 2014, at 10:02 PM, Patrik Fältström <p...@frobbit.se> wrote:
> - Recovery process when bad data end up in the resolver (cache v.s. auth) That's the "cache has gone stale" issue that David raised. It is dealt with in the current draft. There is no other way for "bad data" to be in the cache other than by having it come from a signed root zone that has changed. > - Routing issues (which is what I see the largest burden of a root server > operator) The draft does not impose any "routing issue" on the root. In fact, it says that the signed root might be gotten from entities that are not root zone operators. > - Lack of DNSSEC validation The draft says repeatedly that the information is only entered if it is DNSSEC validated. If you can find any sentence in the draft that says differently, I'll fix it immediately. > - The fact not all data in the root zone is signed That is a statement with no effect. If the data is not signed when it is retrieved from the signed root zone, it will be unsigned when retrieved using normal queries to the root zone. > - Political/regulative implications (to ensure a different TA is used than > ICANN) That is a statement with no effect. Nothing in the draft changes the TA used to validate the root zone, so a validating recursive resolver acts identically whether it uses the mechanism or not. > - Lack of legal protection of the root zone itself Please try to explain this. The root zone operators current serve the root zone signed with DNSSEC. This draft doesn't change that, so there are no new legal implications. > ...and possibly more. That is not helpful. > ...and of course a combination of these. Umm, that is not helpful either. > Once again, this is such a large issue that I would prefer a bit better > arguments than what is demonstrated here. The reason that there are not arguments in the -01 draft to deal with your issues above is that they seem unrelated to the draft. It is hard to have a section that says "Someone objected that this does X, but they are wrong" that has a finite length. > Yes, I know you wrote in affection, but let this remind all of us that we can > do better. Sure, but bringing up issues that are just as true whether or not the draft is implemented is not "doing better". Having a list of issues that come from what the draft changes would be great: we can deal with those. --Paul Hoffman P.S. None of the above relates to Joe's big issue, which is that implementing the draft doesn't help anyone much. To me, that's a much more valid (and measurable) criticism than anything on the list above. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
