On 29June2015Monday, at 19:07, David Conrad <d...@virtualized.org> wrote:

>>>> And yes, this will fail if any of the loopback drafts are deployed.
>>> Sorry, I must be missing something obvious. Why?
>> As to why,  perhaps I am missing the obvious, but if SUDSTA proceeds, does 
>> it matter if the origin IP of the root zone being served
>> is sporadically distributed?   It seems that one could not presume to have 
>> the data to assert the penetration of the new keys nor the
>> origin of the stale keys, if that information was diffused through the IP 
>> address space.
> 
> Ah. I thought when you said 'will fail', you meant the scheme itself wouldn't 
> work. Yes, we won't be able to see anyone who does root-loopback, but that is 
> no different than the existing situation, right?
> 

Actually, it makes it worse.   _IF_ a scheme to simplify updates comes to 
fruition, in todays networks there are (presumptive) a dozen+1 roots with their 
associated IP’s  (call it 26 ip addresses)
that need to be monitored.  The downside is the EXISTING unknown private roots 
who we don’t see PLUS the (again presumptive) number of new sites which will 
adopt root loopback to gain a
“legitimate” root nameserver in their networks.   When this happens in largish 
networks (lets pick on China) then we will have added yet another layer of 
operational coordination/complexity
with the need to synchronize key rollovers between (very big) islands of trust. 
  

So it can be made to work, but the layers of gum, bailing wire, and duct tape 
are, IMHO, problematic.

/bill
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to