I very much doubt anyone's going to take responsibility for signing the root unless they know that, yes DNSSEC really does work and won't break the internet. bs. that is not the problem at the root. it's all layer nine. Nobody said this was an issue at the root Randy.
false. i did. if the root is not signed, dnssec is an unstabele and unscalable mess, with disasters for the end users waiting to happen.
And whether that's a layer-9 issue or not is irrelevant too
not when you seem to be trying to fix it at layers 3-7.
this genuine problem -- you'd presumably call it a non-problem -- has to be resolved somehow.
i consider it a major problem. and the only solution is getting iana to sign the root zone. whether we like it or not, that is the way dnssec was designed.
Getting real-world experience of what happens when DNSSEC is switched on is part of that process. So the recent moves in Sweden are to be commended as a step towards getting that experience. I'm disappointed if you don't share that view.
you should be used to me dissapointing you. after all, i am the guy publicly blamed for delaying dnssec for years. isolated deployments of dnssec will have interesting results. i eagerly await the results from sweden rolling their key in an emergency. and no, lutz, dlv has an unspecified trust model. and the answers to the trust model promised in san jose nanog many moons ago have yet to be given. randy