Stephane Bortzmeyer wrote:
> On Sat, Jul 26, 2008 at 01:14:08AM +0200,
> Roy Arends wrote
> a message of 28 lines which said:
>> When a validator has a trust anchor configured for root, it _expects_
>> signatures for root.

> Which means there is no way back? If we sign ".fr", and people start
> to configure the trust anchor for ".fr" in their validating resolvers,
> we can no longer revert to the original, non-signed, system, should
> problems occur?
> Am I correct? AFAIK, DNSSEC has no way to express policies (in a
> RFC5016-like way) such as "should be signed".

You are correct.

However, if the root was signed, there would be no need for having
separate trust anchors configured
for a signed .fr.

And, this would mean that turning on or off the status of "is .fr
signed?" could be handed from the root
zone, allowing *relative* ease in backing out the signing of any TLD. No
configuration changes would
be needed by the operators of validating resolvers.

(IMHO, in addition to signing the root zone, there need to be changes to
the speed with which changes
of a technical nature can be made, once the technical administration of
a TLD has been authoritatively
and contractually delegated to an entity. Those include changes to A and
AAAA glue records, and
addition/removal of DNSSEC signatures (and thus the
"signed"/"not-signed" status).)


to unsubscribe send a message to with
the word 'unsubscribe' in a single line as the message text body.