> On 16 Dec 2017, at 2:37 am, Joe Abley <jab...@hopcount.ca> wrote:
> 
> On 15 Dec 2017, at 10:31, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> 
>> On 14 Dec 2017, at 21:45, Geoff Huston wrote:
>> 
>>> I agree the mechanics of the change in the text, and even in the code for 
>>> support this are pretty minor, but I am slightly worried about the intended 
>>> generality of the proposed change being a small step too far, so I am 
>>> curious to understand why you are advocating this change.
>> 
>> Because the root zone is not special for DNSSEC.
> 
> I agree with that philosophically, but not practically.
> 
> In practical terms anybody who has a non-root trust anchor installed has a 
> bidirectional operational relationship with the people who publish it. 
> Synchronising that trust anchor, with the glorious benefit of a full list of 
> relying parties and knowledge of how to interact with them, is a far cry from 
> the situation we find ourselves in with the root zone.
> 
> While it's conceptually elegant to have this mechanism easily available to 
> the operator of nameservers for any zone, it's not clear to me that this is 
> supported by a tangible use case.
> 
> If changes motivated by this desire for elegance weaken support for the one 
> use case we have, they seem like a bad idea. (Not saying they do; I haven't 
> thought about them that hard and in any case I am not an implementor.)
> 

I share Joe’s concern here - I prefer the option of a simple, focussed 
mechanism that reports on a resolver’s root Zone KSK trust state. 

I’ll leave this open, but will not incorporate Paul’s proposed changes into the 
WG draft unless I see some further WG comments in favour of making this 
proposed change.


regards,

   Geoff


_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to