On Thu, May 17, 2012 at 01:39:44PM +0000, paul vixie wrote: > On 5/17/2012 1:21 PM, Andrew Sullivan wrote: > > ... I think this would happen to the root zone, too, and that seems > > worse than just one ccTLD. Encouraging random people to keep local > > copies of the root without anyone knowing about it is almost certainly > > an excellent way to cause more DNS failures. > > i think we have to admit that this kind of thing is going to happen
Which "this"? "People will keep local slaves and break sometimes" or "we encourage people to keep local slaves that break sometimes"? The former certainly will (or has), and given the shortage of Internet Wisdom Cops (or, for that matter, Internet Wisdom) I can't imagine anyone picking that windmill. The latter, though, is something that we who have the slightest (or, in my personal case, less than slightest) clue of what we're doing can control. We can in fact recommend that there are better answers than "make a mirror nobody knows about". In my reading, that was all Joe was arguing anyway, given the L policy (which, as he pointed out, is very nearly "buy this server and you got yourself a root server"). > routing and great firewalls. the way to ensure that more people get real > answers may indeed be wide spread root zone stealth slavery. > > i realize that this will just move the game down-level to the tld's, If I read you correctly, in military terms you are arguing there for a retreat to a location that is itself not securable, and … > permanent difference. but by the time that part of the game is playing > out, i'm hoping for relevant penetration levels of dnssec. … then arguing that the hoped-for availability of a future tactical advantage will mean that the location you just gave up would have held anyway. I think I disagree with the strategy. Best, A -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
