On Mon, Oct 20, 2008 at 03:50:46PM -0700, David Conrad wrote:
Bill,
On Oct 20, 2008, at 11:34 AM, bmanning@vacation.karoshi.com wrote:
perhaps, if one buys into the argument that there is only a single parent.
So, just to be clear, you're arguing the root shouldn't be signed and instead each validating resolver operator should harvest DNSKEYs of all zones that are signed?
no i am not. i report that the action of harvesting DNSKEYs and installing them into a zone purporting to be a parent is currently common practice. i have said nothing in this thread about the desirability or not of having signed zones. what can be infered is that there are and will be many parties claiming to be "the root" and there is currently little to distinguish one from the other. even if one signs ones TLD, there is zero assurance that only a single root will harvest the DNSKEY and install it in their version of "the root".
Couldn't you harvest DNSKEYs regardless of whether the root is signed or not?
I could (but will not). Lutz can and does harvest DNSKEYs and installs them in the root. Its just not your version of "the root". It's not mine either. But then, mine is not shared by too many.
Thanks, -drc
Your Welcome, --bill