nanog mailing list archives
Re: .gov DNSSEC operational message
From: jamie rishaw <j () arpa com>
Date: Mon, 27 Dec 2010 19:31:52 -0600
Clearly this will require 3 years of subcommittee conferences in order to prove. .j On Sun, Dec 26, 2010 at 11:23, Florian Weimer <fw () deneb enyo de> wrote:
* Jay Ashworth:----- Original Message -----From: "Matt Larson" <mlarson () verisign com>The new KSK will not be published in an authenticated manner outside DNS (e.g., on an SSL-protected web page). Rather, the intended mechanism for trusting the new KSK is via the signed root zone: DS records corresponding to the new KSK are already present in the root zone.That sounds like a policy decision... and I'm not sure I think it sounds like a *good* policy decision, but since no reasons were provided, it's difficult to tell.I don't know if it influenced the policy decision, but as it is currently specified, the protocol ensures that configuring an additional trust anchor never decreases availability when you've also got the root trust anchor configured, it can only increase it. This means that there is little reason to configure such a trust anchor, especially in the present scenario.
Current thread:
- Re: .gov DNSSEC operational message - picking a fight, (continued)
- Re: .gov DNSSEC operational message - picking a fight bmanning (Dec 29)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Robert E. Seastrom (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 29)
- Re: .gov DNSSEC operational message Valdis . Kletnieks (Dec 29)
- Re: .gov DNSSEC operational message bmanning (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message jamie rishaw (Dec 27)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message bmanning (Dec 28)