[134081] in North American Network Operators' Group
Re: .gov DNSSEC operational message
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Thu Dec 23 13:37:45 2010
Date: Thu, 23 Dec 2010 13:37:13 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <20101222211500.GF97136@DUL1MLARSON-M1.vcorp.ad.vrsn.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Matt Larson" <mlarson@verisign.com>
> The new KSK will not be published in an authenticated manner outside
> DNS (e.g., on an SSL-protected web page). Rather, the intended
> mechanism for trusting the new KSK is via the signed root zone: DS
> records corresponding to the new KSK are already present in the root
> zone.
That sounds like a policy decision... and I'm not sure I think it sounds
like a *good* policy decision, but since no reasons were provided, it's
difficult to tell.
Why was that decision taken, Matt?
Cheers,
-- jra
