> From: Alex Bligh
>
> --On 22 July 2008 04:59:48 +0000 Paul Vixie wrote:
>
> > if there are no configuration knobs, no new error messages, no changes
> > to DHCP or /etc/resolv.conf or rendezvous, and no dependencies on the U
> > S Gov't to approve signing something before we can all start using the
> > technology, then it will be extraordinarily easier to deploy than
> > DNSSEC. it's just code and there are no forklifts.

>
> How much of the perceived problem is lack of signing by USG in your opin?


icann can't make a change of this kind to the root zone without permission
from a lot of people, definitely including its board and USG, probably
including IAB or IESG, and possibly including its SSAC and RSSAC and GAC
and ALAC committees. i don't know that USG is the last remaining approval,
and for that matter i don't know if USG has been asked to approve anything.

> I think there are other options (along the lines of DLV) that would allow
> faster deployment if this was substantially the longest pole in the tent
> and would allow CNOBIN, ccTLDs etc. to sign their zones if they were so
> minded. Clearly this would leave individual users to sign their zones,
> but those being spoofed / phished would have every incentive to get on
> with it.


suck though it may, we have to deploy dnssec. if icann can't sign the root
zone then the TLDs and/or everybody else will have to make other arrangements,
in which roy arends' DLVPTR work could be very important, or in which DLV
could play a transition role. had we been able to bite, chew, and swallow
dnssec, we could just use SIG(0) for stubs, and UDPPORT / QID predictability
would not matter.

i apologize for not making this case clearly enough when we launched DLV. i
think most folks were so concerned about DLV being a power/glory grab that
the merits and justifications and goals just didn't seem to register at all.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: