On Oct 20, 2008, at 17:55, Dmitry Burkov wrote:
for me the issue - as I wrote in previous email to Joao - it is how it can be used in software in future.
I'm not sure I understand the question Dima. DNSSEC is an enabling technology because it gives new opportunities (and challenges) to developers. If data from the DNS can be verified, that opens up all sorts of possibilities. One technical question that could be asked here is "what happens when idiot developers embed the root key in an embedded system (say) and then the root key changes?". Is that what you're asking about?
Depending on this - it can be critical.
Second point - how it will be used for .arpa
See above. We already have some (limited) experience here with the NCC's efforts to sign parts of the reverse tree.
Third point (not related to DNS - sorry - but simular problem) - sidr and it's deployment.
I think it's unwise to link these. Though I suppose a signed part of the DNS name space would make it a whole lot easier to lookup and verify (secure) routing announcements.