[134163] in North American Network Operators' Group
Re: .gov DNSSEC operational message
daemon@ATHENA.MIT.EDU (jamie rishaw)
Mon Dec 27 20:32:01 2010
In-Reply-To: <87bp48mosq.fsf@mid.deneb.enyo.de>
Date: Mon, 27 Dec 2010 19:31:52 -0600
From: jamie rishaw <j@arpa.com>
To: Florian Weimer <fw@deneb.enyo.de>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Clearly this will require 3 years of subcommittee conferences in order to p=
rove.
.j
On Sun, Dec 26, 2010 at 11:23, Florian Weimer <fw@deneb.enyo.de> wrote:
> * Jay Ashworth:
>
>> ----- Original Message -----
>>> From: "Matt Larson" <mlarson@verisign.com>
>>
>>> The new KSK will not be published in an authenticated manner outside
>>> DNS (e.g., on an SSL-protected web page). Rather, the intended
>>> mechanism for trusting the new KSK is via the signed root zone: DS
>>> records corresponding to the new KSK are already present in the root
>>> zone.
>>
>> That sounds like a policy decision... and I'm not sure I think it sounds
>> like a *good* policy decision, but since no reasons were provided, it's
>> difficult to tell.
>
> I don't know if it influenced the policy decision, but as it is
> currently specified, the protocol ensures that configuring an
> additional trust anchor never decreases availability when you've also
> got the root trust anchor configured, it can only increase it. =A0This
> means that there is little reason to configure such a trust anchor,
> especially in the present scenario.
>
>
