Andrew,
On Aug 19, 2008, at 5:55 AM, Andrew Sullivan wrote:
If some technology is going to be deployed, there is generally a
business reason for that to happen.
This is also true, but in my experience one of those business reasons
is, depressingly often, "This is the Current Thinking I read in
_Network World_.
...
Those companies will never look at
the technology again, whatever the business reason is. "Too risky.
It doesn't work. It breaks things."
I long ago gave up fighting against the market for what I felt was
'the right thing' in Internet technology. If a sufficient portion of
the market decides DNSSEC is too risky or it doesn't work or it breaks
things, so be it. Trust me when I say it is not something I will lose
sleep over.
The reason for my earlier question is that I believe that there is
sufficient interest in getting the root signed by folks who have
interest in DNSSEC for it to actually happen. If signing the root
were to have a significant and direct negative impact on folks who
consider DNSSEC a fool's errand then it would argue strongly against
signing the root. However, lacking that and since the only folks that
will experience the joys of DNSSEC should be those who explicitly
configure it, it would seem the harm done by signing the root would be
minimal.
So far, I have seen what appears to be a lot of FUD from Masataka and
the usual concerns/complaints about DNSSEC from folks who haven't
implemented it in their products or services. Peter Koch did provide
an interesting data point that warrants further investigation (20-35%
of queries having DO bit on seems a bit high to me) and someone else
responded privately that signing the root could impact the root
servers due to an increase in the number of TCP connections caused by
folks who turn on DNSSEC but pretty much everyone else who has
responded said they see no problems.
I suspect the question as to what will break if the root is signed
will be asked in "venues that matter" in the near future. It would be
nice to have an answer, or at least an idea of what to look for,
before hand.
Regards,
-drc
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop