On Apr 3, 2013, at 8:03 AM, Joe Abley <[email protected]> wrote: >> Note that none of the responses so far come from administrators of signed >> TLDs, the folks most directly affected by a roll. It is hard to tell why >> that might be, but I suspect that it involves trepidation and maybe outright >> fear. Of course, they cannot voice that publicly. > > I think there's an argument that the people most directly affected by a roll > will be end users to whom DNS responses are being validated.
There is such an argument, and there is a counter-argument. If rolling the root key causes visible problems (which I think most of us expect), it will be followed by lots of press articles that say "see, DNSSEC isn't reliable". The diminishing of trust has a greater effect on those who have committed resources to making their zone trustable than to relying parties. > A KSK rollover in the root zone has no impact on signing operations at TLDs, > or at any other zone. Fully agree. If you focus just on the operations effects, it is easy to say that there will only be good coming from the roll. I prefer to look at the effect on the whole system, including the trust that the system is worthwhile. --Paul Hoffman (who probably should have sent this and the earlier reply to dnssec-deploy, not dnsop, given that they were about trust and not operations) _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
