[134194] in North American Network Operators' Group
Re: .gov DNSSEC operational message
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Tue Dec 28 21:17:45 2010
Date: Tue, 28 Dec 2010 21:17:57 -0500 (EST)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <87bp48mosq.fsf@mid.deneb.enyo.de>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
----- Original Message -----
> From: "Florian Weimer" <fw@deneb.enyo.de>
> > That sounds like a policy decision... and I'm not sure I think it sounds
> > like a *good* policy decision, but since no reasons were provided, it's
> > difficult to tell.
>
> I don't know if it influenced the policy decision, but as it is
> currently specified, the protocol ensures that configuring an
> additional trust anchor never decreases availability when you've also
> got the root trust anchor configured, it can only increase it. This
> means that there is little reason to configure such a trust anchor,
> especially in the present scenario.
Not being a DNSSEC maven, the idea that there was no out-of-band way to
confirm what the in-band method was telling you seemed bad to me; Matt's
explanation, OTOH, seems sensible.
Cheers,
-- jra
