On 15 Dec 2017, at 10:31, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
> On 14 Dec 2017, at 21:45, Geoff Huston wrote: > >> I agree the mechanics of the change in the text, and even in the code for >> support this are pretty minor, but I am slightly worried about the intended >> generality of the proposed change being a small step too far, so I am >> curious to understand why you are advocating this change. > > Because the root zone is not special for DNSSEC. I agree with that philosophically, but not practically. In practical terms anybody who has a non-root trust anchor installed has a bidirectional operational relationship with the people who publish it. Synchronising that trust anchor, with the glorious benefit of a full list of relying parties and knowledge of how to interact with them, is a far cry from the situation we find ourselves in with the root zone. While it's conceptually elegant to have this mechanism easily available to the operator of nameservers for any zone, it's not clear to me that this is supported by a tangible use case. If changes motivated by this desire for elegance weaken support for the one use case we have, they seem like a bad idea. (Not saying they do; I haven't thought about them that hard and in any case I am not an implementor.) Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop