Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Paul Vixie serving ORSN

  • From: Paul Vixie
  • Date: Fri Sep 30 17:21:55 2005

# Paul, if we ever get DNSSEC deployed, what will/should OSRN return for
# 
# 	dig ns .
# 
# 		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb

i don't know ORSN's plans.  i believe that the standard testbed methodology
(and bill manning would be the one to correct me here, if i'm wrong) is to
re-sign the zone with a key trusted by your client populations.  this would
not have been practical in the era before DS RRs, but as things stand, any
root zone signed by IANA will be verifiable by testbed operators, who can
re-sign the zone, including the DS RRs, and for the resulting population,
everything will "just work".  note, though, that i'm merely speculating --
it's possible that ORSN would just strip out the DNSKEYs and RRSIGs and
DS's, and publish a zone that was free of DNSSEC metadata.  i have no idea.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.