[85038] in North American Network Operators' Group
Re: Paul Vixie serving ORSN
daemon@ATHENA.MIT.EDU (Paul Vixie)
Fri Sep 30 17:20:53 2005
From: Paul Vixie <paul@vix.com>
To: nanog@merit.edu
In-Reply-To: Your message of "Fri, 30 Sep 2005 17:06:38 -0400."
<20050930210638.1014D3BFCBD@berkshire.machshav.com>
Date: Fri, 30 Sep 2005 21:18:54 +0000
Errors-To: owner-nanog@merit.edu
# Paul, if we ever get DNSSEC deployed, what will/should OSRN return for
#
# dig ns .
#
# --Steven M. Bellovin, http://www.cs.columbia.edu/~smb
i don't know ORSN's plans. i believe that the standard testbed methodology
(and bill manning would be the one to correct me here, if i'm wrong) is to
re-sign the zone with a key trusted by your client populations. this would
not have been practical in the era before DS RRs, but as things stand, any
root zone signed by IANA will be verifiable by testbed operators, who can
re-sign the zone, including the DS RRs, and for the resulting population,
everything will "just work". note, though, that i'm merely speculating --
it's possible that ORSN would just strip out the DNSKEYs and RRSIGs and
DS's, and publish a zone that was free of DNSSEC metadata. i have no idea.
