On 14Feb 2007, at 9:11 PM, Lutz Donnerhacke wrote:
* David Conrad wrote:
On Feb 14, 2007, at 9:37 AM, Lutz Donnerhacke wrote:
I do trust my DLV data. I offer it to others.
And how do I trust the DLV registry you use?
You can't without knowing me.
So, there you go.. remember what Randy just said:
if the root is not signed, dnssec is an unstabele and unscalable mess,
I am not a firm believer in DLV but I think it will allow the early deployers to familiarize themselves with the DNSSEC operational space. But, life for the masses, as opposed to early deployers, will only be good once: - The root is signed - Automated trust anchor rollover works (work on that finished in DNSEXT and is now at IESG level) - A fair amount of TLDs is signed Until then we will have to live with kludges like DLV. Now I appreciate Lutz' offer but I think that the more DLV registries will pop up the more confusion and troubleshooting hell will be created simply because users of different DLVs will have a different view on the namespace. Note however that now, for folk who configure their nameservers to use a DLV registry things will not be radically different operationally than in the case of a signed root; they configure one trust anchor, and off they fly. So as long as the root is not signed I hope that people will converge to using[*] one DLV registry and I also hope that the layer 9 stuff surrounding a signed root is being dealt in an appropriate time window. (Neill just suggested one :-) ) . --Olaf [*] where using in this case means: take a leap of faith and put your trust in a particular DLV registry. PS I appreciate the announcement about a validating recursive nameserver being turned on in some big IESP but I hope that will not become a trend ;-) ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/