On Wed, Nov 26, 2008 at 10:50:56AM -0500, Russ Housley wrote:
I have been approached about a plenary experiment regarding
DNSSEC. The idea is for everyone to try using DNSSEC-enabled clients
during the plenary session. I like the idea. What do others think?
Russ
nifty! jck shares my concerns. as far as I can determine, the only
way this would work at all is if everyone ran their own copy of a
validating resolver on their own machines, each with a manually configured
suite of Trust Anchors. Now what would be a truely interesting test is
to have multiple, independent implementations of RFC 5011 and agreement
by the TA owners to roll their keys during the IETF... and see how the
various implementations fo RFC 5011 break - or not.
or - we can all run pre-beta versions of windows-7 and statically point to
either of the two third-party trust anchors in the Internet, the ISC DLV
registry
or the ICANN-ITAR. either of which is one minor step removed from simple
static configuration.
then there is the tiny problem of the lack of a standard DNSSEC API - it can
be as simple as a single bit (validated or not) or can have a range of options.
i don't think there is consensus on what to do here. and I am dubious that
there will be significant change before IETF 74.
but I could be wrong and may have to show up just to see how well the IETF
recreates Interop!
--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf