On 29June2015Monday, at 19:07, David Conrad <d...@virtualized.org> wrote:
>>>> And yes, this will fail if any of the loopback drafts are deployed. >>> Sorry, I must be missing something obvious. Why? >> As to why, perhaps I am missing the obvious, but if SUDSTA proceeds, does >> it matter if the origin IP of the root zone being served >> is sporadically distributed? It seems that one could not presume to have >> the data to assert the penetration of the new keys nor the >> origin of the stale keys, if that information was diffused through the IP >> address space. > > Ah. I thought when you said 'will fail', you meant the scheme itself wouldn't > work. Yes, we won't be able to see anyone who does root-loopback, but that is > no different than the existing situation, right? > Actually, it makes it worse. _IF_ a scheme to simplify updates comes to fruition, in todays networks there are (presumptive) a dozen+1 roots with their associated IP’s (call it 26 ip addresses) that need to be monitored. The downside is the EXISTING unknown private roots who we don’t see PLUS the (again presumptive) number of new sites which will adopt root loopback to gain a “legitimate” root nameserver in their networks. When this happens in largish networks (lets pick on China) then we will have added yet another layer of operational coordination/complexity with the need to synchronize key rollovers between (very big) islands of trust. So it can be made to work, but the layers of gum, bailing wire, and duct tape are, IMHO, problematic. /bill _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
