> On 16 Dec 2017, at 2:37 am, Joe Abley <jab...@hopcount.ca> wrote: > > On 15 Dec 2017, at 10:31, Paul Hoffman <paul.hoff...@vpnc.org> wrote: > >> On 14 Dec 2017, at 21:45, Geoff Huston wrote: >> >>> I agree the mechanics of the change in the text, and even in the code for >>> support this are pretty minor, but I am slightly worried about the intended >>> generality of the proposed change being a small step too far, so I am >>> curious to understand why you are advocating this change. >> >> Because the root zone is not special for DNSSEC. > > I agree with that philosophically, but not practically. > > In practical terms anybody who has a non-root trust anchor installed has a > bidirectional operational relationship with the people who publish it. > Synchronising that trust anchor, with the glorious benefit of a full list of > relying parties and knowledge of how to interact with them, is a far cry from > the situation we find ourselves in with the root zone. > > While it's conceptually elegant to have this mechanism easily available to > the operator of nameservers for any zone, it's not clear to me that this is > supported by a tangible use case. > > If changes motivated by this desire for elegance weaken support for the one > use case we have, they seem like a bad idea. (Not saying they do; I haven't > thought about them that hard and in any case I am not an implementor.) >
I share Joe’s concern here - I prefer the option of a simple, focussed mechanism that reports on a resolver’s root Zone KSK trust state. I’ll leave this open, but will not incorporate Paul’s proposed changes into the WG draft unless I see some further WG comments in favour of making this proposed change. regards, Geoff _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop