So, the signed root made available at ns.iana.org is a demonstration/ test service. Originally, the plan was that it was going to be a production-quality signed root with its own set of secondaries that would allow folks who wanted to test DNSSEC in actual use to modify their root hints appropriately and go about their business. As part of this demonstration/test service, I felt it appropriate to require the secondaries for that service to enter into an agreement that would require those secondaries to meet a base service level commitment and (more importantly) to agree to discontinue use when the real root was signed. Some of the existing root server operators whom I contacted to provide secondary service felt this threatened their continued operation of their root servers. They requested the service be made non-production quality, e.g., that IANA would take the service down periodically or otherwise make the service unreliable. I personally thought this would render the service essentially unusable for the purposes of validating caching resolver experimentation/testing as it would mean ISPs who wanted to play couldn't point to the signed root in their customer facing resolvers. Instead, Rick Lamb of IANA added some bogus TLDs with various failure modes (e.g., bad signatures, expired signatures, etc.) In the end, I gave up trying to push the ns.iana.org experiment as I got extremely tired of the root server operator politics. The signed root continues to be provided with a very elaborate and secure signing mechanism, but I wouldn't call the service provided at ns.iana.org production quality. FWIW. Regards, -drc On Jun 24, 2008, at 6:42 PM, Ray.Bellis@nominet.org.uk wrote:
Does anyone happen to know what all of the "bert" entries are in there?
badbert. 180 IN NS NS.XTCN.COM. fallbert. 180 IN NS NS.XTCN.COM. goodbert. 180 IN NS NS.XTCN.COM. lazybert. 180 IN NS NS.XTCN.COM.
Ray