-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Tony, Joe,
On 03/08/2010 08:35 PM, Tony Finch and Joe Abley alternated: >>>> - signing ROOT-SERVERS.NET would result in potentially-harmful large >>>> responses with no increase in security >>> >>> Can't you deal with this by omitting the root-servers.net RRSIGs from the >>> additional section of responses to queries to the root? >> >> Are you suggesting that we implement a coordinated code change to all >> root servers in the name of security or stability? > > I suppose it was more a protocol / implementation question, along the > lines of BIND's minimal-responses option. It is not a code change for NSD. The RRSIGs of root-servers.net would not be present in replies for the root. E.g. in the prime response. >> Diversity in operation and code base is usually thought to be a strength >> of the root server system. +1 ; here exposing a subtle (interpretation?) difference. Also +1 for the consensus analysis about signing: not on the path of trust but still somewhat useful to do, but not add another TA for it. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkuWKf4ACgkQkDLqNwOhpPhwtwCfR/GRpVG87AqUP/dNYnqmFaLt AaUAoJstPMB/zJ5MwhanxWieQ3zQcCH3 =idvu -----END PGP SIGNATURE----- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop