On Aug 26, 2005, at 21:26, Randy Bush wrote:
In principle IAB could sign .arpa tomorrow, assuming someone was able and willing to hold its KSKs.
Don't forget "in-addr.arpa." and "ip6.arpa." - they delegate some of NCC's zones.
and don't forget that this does not scale.
Randy, you've confused me. What aspect of DNSSEC specifically "does not scale"? Do you mean having everyone embed trust anchors in their name server configurations for every signed TLD while we wait for the root to be signed? If so, I agree that's not scalable. But that's not what was under discussion here. At least I hope it wasn't.
manual coordination to maintain trusted keys for 292 tlds just does not work. and that assumes that the tlds are signed, not counting all the thrid and ninth level zones that make noise when the zones above them are not signed.
I raised the prospect of getting .arpa signed, not 292 tlds. If this was done, there would be one trust anchor for infrastructure zones and that should simplify things in the context of the NCC's proposals for deploying DNSSEC. Perhaps that might help the other RIRs to follow the NCC's lead. It should also allow us to get operational experience in handling keying material, signing policies and so on that could inform the discussion on getting the root signed. ie Once the layer-9 stuff about that stopped (if it ever will), the lessons learned from gradually deploying DNSSEC in .arpa could provide a valuable knowledge base of practical experience to draw on.
this does not fly until the root is signed. and that does not fly until there is a key management plan and technology for it.
Well yes. But somebody has to start somewhere. IMO signing .arpa could/should be a stepping stone towards that goal. Please note these are my personal opinions and the usual disclaimers apply.