Re: [DNSOP] A different question

Thu, 21 Aug 2008 17:28:16 -0700 

> On Thu, 21 Aug 2008, David Conrad wrote:
> > Now, I've always thought a separate root infrastructure that you had  
> > to opt in to would be a good way to go, but this quickly gets bogged  
> > down in extremely annoying (at least to me) layer 9 politics and I'll  
> > let someone else try to push that boulder up the mountain this time  
> > (Who me? Bitter?  Never).
> 
> I think a separate test infrastructure is a not just a "good way to
> go" but absolutely essential to properly test DNSSEC in the root.  The
> root zone is the most important one and any idea that we'd just sign
> the root zone and hope for the best is madness and reckless.  The
> discussion in this thread regarding DO makes this point better than I
> ever could.

        I'm not hoping for the best.  I'm confident that there won't
        be major issues.  Some lookups will slow down as due to the
        need to recover from broken bits of middleware.

        Is there any issue in David's list that SE or BR won't have
        encountered?  Are SE and BR falling off the Internet?

        Yes change is scary.

        Every machine that is setting DO is asserting that it can
        handle the responses the roots will generate.  These are
        the same sorts of response the servers for SE and BR are
        sending.

        The only real difference between SE/BR and the root is that
        everyone talks to the root.

        If one really wants to test larger responses one can hack
        the servers to add a EDNS option which pads out the UDP
        response to the advertised size.  It should be ignored by
        the receivers.  :-)

> I don't believe the politics of a separate infrastructure in which to
> deploy a signed root that would generate enough traffic to get a feel
> for a signed root's impact are insurmountable and I am not only happy
> to start pushing boulder, I've already begun.
> 
> Matt
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: [EMAIL PROTECTED]
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to