> I don't see SO and DNSSECbis/ter as competing. They aren't solving the
> same problem. So I would suggest the answer is no.


i do see SO and DNSSECbis/ter as competing -- for mindshare, both among the
group of volunteers willing to work on these problems, and among vendors who
may wish to deploy or support Secure DNS, and among domain holders who may
with to adopt Secure DNS.

> I don't see much forward momentum for DNSSEC* regardless of DLV, NSEC3, SO,
> or any other factor recently debated on this list.


my own census among potential deployers indicates that until the DNS community
makes a decision about what Secure DNS will be, nobody's going to wait for it
or plan on it or include it in their plans at all. introducing SO at this
stage looks like "more dithering". this working group needs a clear goal set,
a strategy for meeting those goals, and strong leadership to keep us focused
on those goals. the leadership part is the only thing we've got right so far,
and admitting SO would send the other two requirements in the wrong direction.

> There's nothing standing in the way of progress, progress is just not
> happening. I have seen equally little forward momentum for SO. Is there
> code for it yet?


speaking as an implementor, nobody has yet come to ISC asking for SO or
offering to fund SO. if any other implementor or potential implementor has
heard EOI's or RFP's for SO or SO-like functionality, that would make the
working group's decision interesting.

> Is there evidence that the SO document's presence has stopped someone from
> deploying DNSSEC*? I'm presuming not, but I wouldn't know.


in addition to the usual problems in proving negatives, the cases i'm aware
of are of fence-sitters rolling their eyes and saying "AGAIN with the bi-annual
Secure DNS redesign? what IS it with you people?" which is to say, in answer
to your question, "yes and/or no".

> Has anyone been told to hold back on DNSSECbis because there are ongoing
> discussions over NSEC3, etc.? Are the distractions really distracting or
> just providing an excuse?


with respect to DLV adoption, some folks i've approached about using DLV have
said that if the only thing left to do for Secure DNS is sign the root, then
DLV is an appropriate bootstrap mechanism, but with NSEC3 in the offing, they
don't want to adopt Secure DNS at all until it settles down, so DLV is just
useless to them. i can extrapolate a bitter twisted cynical conclusion about
the appearance of "SO" on the landscape, but noone has actually done more
than roll their eyes (as described above), so it's not conclusive *enough*.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: