On Sun, Mar 07, 2010 at 01:43:36PM +0000, Jim Reid wrote:
> On 7 Mar 2010, at 12:37, [email protected] wrote:
>
> >ah come on Jim... folsk should sign their zones as soon
> >as they see fit, regardless of parental buy in.
>
> Bill, IMO there's not much point in signing root-servers.net until its
> parents are signed. [And as I explained earlier, signing that zone is
> highly unlikely to make any difference to the threat of spoofed
> responses to priming queries.] While folk should sign zones as they
> see fit, lack of parental buy-in is a major reason why they don't sign
> their zones. The horrors of alternate Trust Anchors should make
> everyyone think very long and hard about when to deploy DNSSEC.
and you think this is the primary reason to sign/not sign?
i suspect that the real reason to sign early/often is actuall
enumerated below.
> This is maybe just about tolerable for a handful of TLDs. However I
> hope all this will melt away once we reached the promised land of a
> signed root this summer.
signed root nirvana anint going to happen.
> That said, I'd encourage people to put zone signing into pre-
> production so they can figure out how to update procedures and
> documentation, train ops/support staff and also get experience with
> signing tools, key rollovers and so forth. They'll then be ready to
> flick the switch come the glorious day when their parent(s) are
> signing delegations.
bingo. thats the reason to sign now, irrespective
of some laggard parent.
--bill
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
