Re: .gov DNSSEC operational message

[jamie rishaw <j () arpa com>]

Clearly this will require 3 years of subcommittee conferences in order to prove.

.j

On Sun, Dec 26, 2010 at 11:23, Florian Weimer <fw () deneb enyo de> wrote:
> * Jay Ashworth:
>
> > ----- Original Message -----
> > > From: "Matt Larson" <mlarson () verisign com>
> >
> > > The new KSK will not be published in an authenticated manner outside
> > > DNS (e.g., on an SSL-protected web page). Rather, the intended
> > > mechanism for trusting the new KSK is via the signed root zone: DS
> > > records corresponding to the new KSK are already present in the root
> > > zone.
> >
> > That sounds like a policy decision... and I'm not sure I think it sounds
> > like a *good* policy decision, but since no reasons were provided, it's
> > difficult to tell.
>
> I don't know if it influenced the policy decision, but as it is
> currently specified, the protocol ensures that configuring an
> additional trust anchor never decreases availability when you've also
> got the root trust anchor configured, it can only increase it.  This
> means that there is little reason to configure such a trust anchor,
> especially in the present scenario.