Re: Transition from 2535 to opt-in

[Paul A Vixie <vixie@vix.com>]

i keep looking at opt-in and DS and asking "how many more years will it take
before we get the complexity managed in dnssec and have widely deployed it?"

experience so far shows that if we sign up for another round of complexity on
the scale of opt-in we'll be some years at fine tuning it before we can have
meaningful interoperability testing on it, which would precede wide deployment
by some more years.

i have an alternative proposal.  use hardware crypto and since .COM with the
protocol we have now and stop the merry-go-round of dnssec protocol development
before a lot of us are overcome with motion sickness.

re:

> To: Brian Wellington <Brian.Wellington@nominum.com>
> cc: namedroppers@ops.ietf.org, roy.arends@nominum.com, markk@verisign.com,
>    davidb@verisign.com
> Subject: Re: Transition from 2535 to opt-in 
> Date: Fri, 30 Nov 2001 08:50:36 +0100
> From: Olaf Kolkman <olaf@ripe.net>
> Sender: owner-namedroppers@ops.ietf.org
> Precedence: bulk
> 
> 
>  * I don't think that this is a problem.  If a TLD is opt-in and a resolver
>  * is not opt-in capable, it shouldn't contain a trusted-key for that TLD.
> 
> How does that work if you enter the zone from a parent? I see that as
> long as the root is not signed this is not a problem for a TLD but in
> a general case a zone that is supposed to be secure and that uses
> opt-in will only have it's secured RRs visible.
> 
> For the generic case 2535 verifiers will have a problem with OPT-IN.
> 
> --Olaf
> 
> 
> 
> 
> to unsubscribe send a message to namedroppers-request@ops.ietf.org with
> the word 'unsubscribe' in a single line as the message text body.



to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.