> On Thu, 21 Aug 2008, David Conrad wrote: > > Now, I've always thought a separate root infrastructure that you had > > to opt in to would be a good way to go, but this quickly gets bogged > > down in extremely annoying (at least to me) layer 9 politics and I'll > > let someone else try to push that boulder up the mountain this time > > (Who me? Bitter? Never). > > I think a separate test infrastructure is a not just a "good way to > go" but absolutely essential to properly test DNSSEC in the root. The > root zone is the most important one and any idea that we'd just sign > the root zone and hope for the best is madness and reckless. The > discussion in this thread regarding DO makes this point better than I > ever could.
I'm not hoping for the best. I'm confident that there won't be major issues. Some lookups will slow down as due to the need to recover from broken bits of middleware. Is there any issue in David's list that SE or BR won't have encountered? Are SE and BR falling off the Internet? Yes change is scary. Every machine that is setting DO is asserting that it can handle the responses the roots will generate. These are the same sorts of response the servers for SE and BR are sending. The only real difference between SE/BR and the root is that everyone talks to the root. If one really wants to test larger responses one can hack the servers to add a EDNS option which pads out the UDP response to the advertised size. It should be ignored by the receivers. :-) > I don't believe the politics of a separate infrastructure in which to > deploy a signed root that would generate enough traffic to get a feel > for a signed root's impact are insurmountable and I am not only happy > to start pushing boulder, I've already begun. > > Matt > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED] _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop