I've read MSJ's SO document. I think the approach is certainly
interesting, but I'm not convinced that Mike's proposal (the part that
deals with absence of authenticated denial/proven non-existence) will
significantly increase DNSSEC deployment, which I think is the main
motivation behind this proposal. I like the idea of the signer being a
non-parent, (or, for that matter, the signed being a non-child), but that
is IMHO a whole new research topic.

The discussion on the validity of deploying DNSSEC, or on the feasibility
or impact of attacks on DNS, is repetitive and old, and has less
participants every time around. I'm going to apply Noah's principle for my
own involvement these particular Namedroppers discussions: no more prizes
on forecasting rain; only for building arks.

DNSSEC development and deployment is real. A few TLD's deploy DNSSEC, and
most of the DNS related software developers I've talked to have, or are
willing to implement DNSSEC. Microsoft's public commitment on adding
DNSSEC to their server/resolver set is yet one more prize. Meanwhile,
everyone who wants to use or deploy DNSSEC is screaming for tools, so more
prizes to win there.

Roy Arends
Nominet

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: