IETF Logo Mail Archive

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

Stephane Bortzmeyer <bortzmeyer@nic.fr> Sat, 26 July 2008 14:57 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C9A63A69FE; Sat, 26 Jul 2008 07:57:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.286
X-Spam-Level:
X-Spam-Status: No, score=-1.286 tagged_above=-999 required=5 tests=[AWL=-0.849, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VqJt4I-tNenu; Sat, 26 Jul 2008 07:57:40 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id B17E83A6969; Sat, 26 Jul 2008 07:57:40 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KMl70-000OQd-Iq for namedroppers-data@psg.com; Sat, 26 Jul 2008 14:51:10 +0000
Received: from [217.70.190.232] (helo=mail.bortzmeyer.org) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <bortzmeyer@nic.fr>) id 1KMl6v-000OPr-Nd for namedroppers@ops.ietf.org; Sat, 26 Jul 2008 14:51:07 +0000
Received: by mail.bortzmeyer.org (Postfix, from userid 10) id 12F5C948FC; Sat, 26 Jul 2008 16:44:02 +0200 (CEST)
Received: by horcrux (Postfix, from userid 1000) id 7CC13157ABC; Sat, 26 Jul 2008 16:41:11 +0200 (CEST)
Date: Sat, 26 Jul 2008 15:41:11 +0100
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: Roy Arends <roy@nominet.org.uk>
Cc: namedroppers@ops.ietf.org
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Message-ID: <20080726144111.GA5204@laperouse.bortzmeyer.org>
References: <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info> <20080725193101.GB8193@outpost.ds9a.nl> <BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info> <20080725221002.GK29775@commandprompt.com> <OFF4F9438A.D83AC9AB-ON80257491.007DB303-C1257491.007FA301@nominet.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <OFF4F9438A.D83AC9AB-ON80257491.007DB303-C1257491.007FA301@nominet.org.uk>
X-Transport: UUCP rules
X-Operating-System: Ubuntu 8.04 (hardy)
User-Agent: Mutt/1.5.17+20080114 (2008-01-14)
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

On Sat, Jul 26, 2008 at 01:14:08AM +0200,
 Roy Arends <roy@nominet.org.uk> wrote 
 a message of 28 lines which said:

> When a validator has a trust anchor configured for root, it _expects_ 
> signatures for root. 

Which means there is no way back? If we sign ".fr", and people start
to configure the trust anchor for ".fr" in their validating resolvers,
we can no longer revert to the original, non-signed, system, should
problems occur?

Am I correct? AFAIK, DNSSEC has no way to express policies (in a
RFC5016-like way) such as "should be signed".


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email