nanog mailing list archives
Re: .gov DNSSEC operational message
From: Jay Ashworth <jra () baylink com>
Date: Tue, 28 Dec 2010 21:17:57 -0500 (EST)
----- Original Message -----
From: "Florian Weimer" <fw () deneb enyo de>That sounds like a policy decision... and I'm not sure I think it sounds like a *good* policy decision, but since no reasons were provided, it's difficult to tell.I don't know if it influenced the policy decision, but as it is currently specified, the protocol ensures that configuring an additional trust anchor never decreases availability when you've also got the root trust anchor configured, it can only increase it. This means that there is little reason to configure such a trust anchor, especially in the present scenario.
Not being a DNSSEC maven, the idea that there was no out-of-band way to confirm what the in-band method was telling you seemed bad to me; Matt's explanation, OTOH, seems sensible. Cheers, -- jra
Current thread:
- Re: .gov DNSSEC operational message, (continued)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Robert E. Seastrom (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 29)
- Re: .gov DNSSEC operational message Valdis . Kletnieks (Dec 29)
- Re: .gov DNSSEC operational message bmanning (Dec 29)
- Re: .gov DNSSEC operational message Tony Finch (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 30)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message jamie rishaw (Dec 27)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message Jay Ashworth (Dec 28)
- Re: .gov DNSSEC operational message Kevin Oberman (Dec 28)
- Re: .gov DNSSEC operational message bmanning (Dec 28)