On Jan 24, 2011, at 8:48 PM, Randy Bush wrote: >> And now that DNSSEC is deployed > > and you are not sharing what you are smoking
root and .arpa are signed, well on the way, particularly relative to RPKI. Incremental cost of signing in-addr.arpa using a deployed DNS system as opposed to continuing development, deployment and operationalizing and dealing with all the political issues with deploying a new RPKI system -- hrmm. And again, I'm not opposed to RPKI and know we REQUIRE number resource certification before we can secure the routing system. I just don't like the notion of deploying a brand new system with data that at the end of the day is going to look an awful lot like the existing in-addr.arpa delegation system that's deployed, and introduce new hierarchical shared dependencies that don't exist today. Keep it simple? -danny
