On Fri, Aug 22, 2008 at 12:01:16AM +1000, Mark Andrews wrote: > The issues David was pointing out have been visible for years. So > to has the recovery behaviour if one choose to look for it. There > is nothing new in what David has been saying.
I think you may be missing the import of what he's saying, though. The entire deployment strategy for DNSSEC has been a gradual deployment strategy, in which zone operators may start signing their zones and expect zero effects for security-oblivious resolvers. That assumption is still accurate, but we appear to have failed to think of one class of deployment: the security-oblivious resolver operator with a security-aware resolver. Yes, some of those people are already running into the issues, and yes the recovery is happening. But David was asking, "If we just start signing now, will anything happen to people who don't care about DNSSEC?" The answer, one might be surprised to learn, is, "Yes, although probably nothing unrecoverable." That answer is not as encouraging as, "No." > longer desirable now that DNSSEC is seeing deployment. It much > better to get the problems fixed and that requires noise. Well, that's certainly true. A -- Andrew Sullivan [EMAIL PROTECTED] +1 503 667 4564 x104 http://www.commandprompt.com/ _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
