Paul Vixie serving ORSN

• Previous message (by thread): Paul Vixie serving ORSN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

# Paul, if we ever get DNSSEC deployed, what will/should OSRN return for
# 
# 	dig ns .
# 
# 		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

i don't know ORSN's plans.  i believe that the standard testbed methodology
(and bill manning would be the one to correct me here, if i'm wrong) is to
re-sign the zone with a key trusted by your client populations.  this would
not have been practical in the era before DS RRs, but as things stand, any
root zone signed by IANA will be verifiable by testbed operators, who can
re-sign the zone, including the DS RRs, and for the resulting population,
everything will "just work".  note, though, that i'm merely speculating --
it's possible that ORSN would just strip out the DNSKEYs and RRSIGs and
DS's, and publish a zone that was free of DNSSEC metadata.  i have no idea.

• Previous message (by thread): Paul Vixie serving ORSN
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]