Peter, On Aug 23, 2008, at 4:09 AM, Peter Koch wrote: > It looks like part of your propsal has been overtaken by events > given that > the AAAA introduction for the root name servers went smoothly.
Yep. As I mentioned, it was unfinished, unpublished, and outdated. > How to avoid leakage between the plain and the DNSSEC signed root? What sort of leakage are you concerned about? > What is the back out strategy? I would presume that it would be made very clear that the separate infrastructure would simply be terminated at some point in the future following the deployment of the live signed root. > Most importantly: How do you make sure that the most representative > subset > of resolvers do actually opt-in? I suppose we could look at the major sources of traffic at the roots and then contact the administrators of those sources to see if they'd be willing to participate in the separate infrastructure. > Also, it is reasonable to assume that > > o the participants would be on the informed side, using well known and > recent software Or, we could do a statistical sample of sources of root traffic and try to get a significant portion to play along. > o for anybody with an "interesting" query volume or pattern, it would > most likely mean switching a production system Yes. The separate infrastructure would need to be production-quality and you'd need to convince folks that they could trust that infrastructure. >> In my experience, all the issues blocking forward motion on this have >> been political. Specifically, one of the concerns has been that a >> separate infrastructure would in some way promote alternate root name > And I'd say this is a serious concern. Why? The namespace and the infrastructure supporting that namespace are entirely different things. There is nothing magical about the existing root servers other than the fact that they are listed in the root hints file. The existence and use of ORSN hasn't appeared to have driven anyone to create alternative name spaces to my knowledge. > Also, an experiment is much different > from a migration for technical/operational and layer 9 reasons. I suspect it depends on what you're trying to discover in the experiment. > The operational > beeing that you'd essentially have to move all the DNSSEC unaware > resolvers, > as well - at least in the long run. For an experiment to see what if anything breaks if you sign the root? Regards, -drc _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
