2008/8/15 David Conrad <[EMAIL PROTECTED]>: > Hi, > > On Aug 15, 2008, at 9:15 AM, Ted Lemon wrote: >> >> But until we have root and .com signed, and until the average end-user is >> protected by a validating resolver, we aren't done yet, and I don't really >> get any actual benefit from my efforts. Which, tragically, is why it's >> taking so long. > > There are people who appear to think deploying DNSSEC as soon as possible > would be a good thing. There are also people who appear to think deploying > DNSSEC is a fools errand, that it won't get significant use because it makes > things too hard, too complicated, too prone to failure, etc. > > However, because of DO, folks who don't configure their resolvers to do > DNSSEC shouldn't ever see any DNSSEC goop. > > Given this, does anyone see any DNS security and/or stability concerns if a > miracle were to happen and the root were to be signed tomorrow?
"If you build it, he will come." No, I don't see any problem. Since enabling DNSSEC validation is controlled process - ie. you need to change configuration - people will know what they are doing. Sure some people will get burnt once, twice, but then they will learn or just disable DNSSEC validation at all. But what we need to do is to properly educate users wishing to enable DNSSEC validation. But that doesn't differ from TLD signing and it's more task for TLD registry to speak to it's users. Ondrej. -- Ondřej Surý technický ředitel/Chief Technical Officer ----------------------------------------- CZ.NIC, z.s.p.o. -- .cz domain registry Americká 23,120 00 Praha 2,Czech Republic mailto:[EMAIL PROTECTED] http://nic.cz/ sip:[EMAIL PROTECTED] tel:+420.222745110 mob:+420.739013699 fax:+420.222745112 ----------------------------------------- _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop