On Jun 17, 2024, at 13:39, Joe Abley <jab...@strandkip.nl> wrote: > > Hi Paul, > > On 17 Jun 2024, at 21:18, Paul Hoffman <paul.hoff...@icann.org> wrote: > >> The paragraph reads: >> >> If the "root-servers.net" zone is later signed, or if the root servers are >> named in a >> different zone and that zone is signed, having DNSSEC validation for the >> priming queries >> might be valuable. >> The benefits and costs of resolvers validating the responses will depend >> heavily on >> the naming scheme used. >> >> It is still accurate as it stands, does not lead to an assumption of what >> name would be signed and, more importantly, strongly indicates that the name >> that eventually gets signed might be different than root-servers.net. I'm >> not sure why we would want to remove that. > > It might be technically true (although I could still nitpick about the > assumption that the root server names must necessarily live in a zone other > than the root) but I don't think it's useful.
I find it useful, but I see that it is also off-topic for current priming. Please note that the first sentence was actually part of RFC 8109, and I don't remember people objecting to it then. --Paul Hoffman _______________________________________________ DNSOP mailing list -- dnsop@ietf.org To unsubscribe send an email to dnsop-le...@ietf.org
