Re: [DNSOP] zone signing with or without parental buy-in Sun, 07 March 2010 17:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0379D3A8FD7 for <>; Sun, 7 Mar 2010 09:10:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.987
X-Spam-Status: No, score=-5.987 tagged_above=-999 required=5 tests=[AWL=0.482, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_RMML_Stock10=0.13]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jZfKMb-XG4aQ for <>; Sun, 7 Mar 2010 09:10:14 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id C71373A8EEE for <>; Sun, 7 Mar 2010 09:10:14 -0800 (PST)
Received: from (localhost.localdomain []) by (8.12.8/8.12.8) with ESMTP id o27HAGrU010626; Sun, 7 Mar 2010 17:10:17 GMT
Received: (from bmanning@localhost) by (8.12.8/8.12.8/Submit) id o27HAFnN010625; Sun, 7 Mar 2010 17:10:15 GMT
Date: Sun, 07 Mar 2010 17:10:15 +0000
To: Jim Reid <>
Message-ID: <>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.4.1i
Subject: Re: [DNSOP] zone signing with or without parental buy-in
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 07 Mar 2010 17:10:17 -0000

On Sun, Mar 07, 2010 at 01:43:36PM +0000, Jim Reid wrote:
> On 7 Mar 2010, at 12:37, wrote:
> >ah come on Jim... folsk should sign their zones as soon
> >as they see fit, regardless of parental buy in.
> Bill, IMO there's not much point in signing until its  
> parents are signed. [And as I explained earlier, signing that zone is  
> highly unlikely to make any difference to the threat of spoofed  
> responses to priming queries.] While folk should sign zones as they  
> see fit, lack of parental buy-in is a major reason why they don't sign  
> their zones. The horrors of alternate Trust Anchors should make  
> everyyone think very long and hard about when to deploy DNSSEC.

	and you think this is the primary reason to sign/not sign?
	i suspect that the real reason to sign early/often is actuall
	enumerated below.
> This is maybe just about tolerable for a handful of TLDs. However I  
> hope all this will melt away once we reached the promised land of a  
> signed root this summer.
	signed root nirvana anint going to happen.

> That said, I'd encourage people to put zone signing into pre- 
> production so they can figure out how to update procedures and  
> documentation, train ops/support staff and also get experience with  
> signing tools, key rollovers and so forth. They'll then be ready to  
> flick the switch come the glorious day when their parent(s) are  
> signing delegations.

	bingo.  thats the reason to sign now, irrespective
	of some laggard parent.