On Fri, 22 Aug 2008, Mark Andrews wrote: > Every machine that is setting DO is asserting that it can > handle the responses the roots will generate. These are > the same sorts of response the servers for SE and BR are > sending.
I'm not (just) concerned about individual resolvers. I'm concerned about the system as a whole, end to end. We all know that .SE's rollout wasn't completely smooth. It wasn't IIS's fault: they did everything they could for the variables under their control. It was the other stuff--such as the infamous SOHO router that didn't like AD--that caused problems. Now, there's no question that that SOHO router was broken and needs to be fixed. But magnify this situation to the entire Internet and imagine the issues. My point is that any course of action for DNSSEC deployment in the root that doesn't include a lot of due diligence, including large-scale testing, is reckless and irresponsible. Signing the root will be the single largest change ever undertaken to the root zone and, arguably, to the DNS as a whole. Please don't mistake any of my comments as a lack of support for DNSSEC. We do need to get the root signed, and I and the rest of VeriSign are totally supportive. VeriSign has had a root zone testbed running for several months, in which we've been signing the root using the same infrastructure and policies used for our CA operations. (See http://webroot.verisignlabs.com.) And in our role as root zone editor, we're ready to sign the production root when asked. What disturbs me is that I detect a disturbing drumbeat of "We must sign the root now--now now NOW!" in discussions in various venues. Such talk doesn't show prudence but panic. Let's sign the root. But let's do it diligently, always keeping in mind how important the infrastructure is. Matt _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
