North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: wrt joao damas' DLV talk on wednesday

  • From: Randy Bush
  • Date: Tue Jun 13 14:56:43 2006

> With the current trust policy, it seems to me that DLV is a
> bootstrap mechanism intended to promote bottom-up pressure for
> DNSSEC deployment, and to give people a chance to get to grips
> with things like key rollover and zone signing.

well, unlike ipv6 marketing efforts, at least it does not create
an unrecoverable mess in routing.

> It's a frog dressed up as a chicken which is being rolled out
> because people are fed up waiting for an egg.
> In that context, perhaps it doesn't need to scale very far.

perhaps the bottom line is whether it makes us more vulnerable.
while an incorrectly secured zone is arguably no worse than one
which is not secured, it seems to create a focus for attack.

but what leaves me wondering is why this is all so difficult.
why can isc not simply say "we plan to vet zones as follows:.
and we plan to manage maintenance of key rollover as follows: