On 7 Mar 2010, at 12:37, [email protected] wrote:
ah come on Jim... folsk should sign their zones as soon as they see fit, regardless of parental buy in.
Bill, IMO there's not much point in signing root-servers.net until its parents are signed. [And as I explained earlier, signing that zone is highly unlikely to make any difference to the threat of spoofed responses to priming queries.] While folk should sign zones as they see fit, lack of parental buy-in is a major reason why they don't sign their zones. The horrors of alternate Trust Anchors should make everyyone think very long and hard about when to deploy DNSSEC.
This is maybe just about tolerable for a handful of TLDs. However I hope all this will melt away once we reached the promised land of a signed root this summer.
That said, I'd encourage people to put zone signing into pre- production so they can figure out how to update procedures and documentation, train ops/support staff and also get experience with signing tools, key rollovers and so forth. They'll then be ready to flick the switch come the glorious day when their parent(s) are signing delegations.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
