On Aug 30, 2005, at 17:09, Randy Bush wrote:
I agree that if we do not get to a point where validators only have to configure between one and a handful of trust-anchors and those trust-anchors get automatically rolled DNSSEC will not reach the masses.
On the other hand we have to start deploying somewhere.
while i do have sympathy for this, when i consider, or try to consider, what the trust model and reliability of low-level roll-out of a hundred or a thousand scattered zones, the mind boggles. as trust keys require manual maintenance, there will be seemingly random failures, real fun debugging, ... and the trust won't distribute, it's SxC.
This is why I suggested starting with trying to get .arpa signed. Since it's controlled by the IAB, the zone should be free from the level-9 (and up) issues that infest the root. That would/should mean a single trust anchor for those who wanted to take part in the first faltering steps towards DNSSEC deployment. In the context of what the NCC is proposing, that would mean .arpa signing the KSKs for the stuff delegated by IANA to the NCC. This has to be better than having a bunch of trust anchors for each apex under ip6.arpa and in- addr.arpa -- let's not forget e164.arpa too -- that's managed by the NCC. We appear to agree that path is less than desirable.