On Thu, Nov 27, 2008 at 03:52:50PM -0500, Steve Crocker wrote:
All of the above should invisible unless the end system explicitly
invokes the DNSSEC-compliant recursive resolver AND asks for a signed
response.
Steve
for me, this statement is the crux of the issue.
it is crucial for there to be signed infrastructure.
no question about that. but for what purpose?
as noted elsewhere in this thread, the IETF network
has already implemented signed zones in the past (Dallas)
and actually had an application under test (FreeSwan).
for those of us who already run DNSSEC validators on our
local machines, I welcome the idea of a persistent signed
IETF infrastructure. (e.g. there will not be "the" DNSSEC
compliant recursive resolver... there will be many of them.
but that is not the subject of an experiment.
i beleive that some clarity would be helpful here.
if the folks in charge would clearly state what the experiment
is, expected outcome, how the community will be able to
gauge the success or failure of the experiment, and future
actions... then much of the discussion would disipate or
shift.
back to my question - to what purpose? if all this is
invisible to the end-system, of what purpose is the exercise
of creating signed data? I think that there should be some
nod to end-system awareness/impact. And the primary point
of visability (under the IETF control) is key roll. at least
imho. others will no doubt have their own points.
I look forward to more clarification on this proposed experiment.
--bill
Opinions expressed may not even be mine by the time you read them, and
certainly don't reflect those of any other entity (legal or otherwise).
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf