[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?

To: Roy Arends <roy@nominet.org.uk>
Subject: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
Date: Sat, 26 Jul 2008 15:41:11 +0100
Cc: namedroppers@ops.ietf.org
In-reply-to: <OFF4F9438A.D83AC9AB-ON80257491.007DB303-C1257491.007FA301@nominet.org.uk>
References: <8A91CF57-0CBD-4CF2-BF59-C7D59CB4B7B9@virtualized.org> <20080724060743.GA7420@outpost.ds9a.nl> <48886C4D.4020500@ca.afilias.info> <63C0FFE7-17E6-4ECE-9A12-0537FE2E3F4B@ca.afilias.info> <4888FED2.6060204@NLnetLabs.nl> <E7388E94-D031-4059-91F9-1596A254E21C@ca.afilias.info> <20080725193101.GB8193@outpost.ds9a.nl> <BEADC795-3C76-407A-A979-2B0AAACE0328@ca.afilias.info> <20080725221002.GK29775@commandprompt.com> <OFF4F9438A.D83AC9AB-ON80257491.007DB303-C1257491.007FA301@nominet.org.uk>
User-agent: Mutt/1.5.17+20080114 (2008-01-14)

On Sat, Jul 26, 2008 at 01:14:08AM +0200,
 Roy Arends <roy@nominet.org.uk> wrote 
 a message of 28 lines which said:

> When a validator has a trust anchor configured for root, it _expects_ 
> signatures for root. 

Which means there is no way back? If we sign ".fr", and people start
to configure the trust anchor for ".fr" in their validating resolvers,
we can no longer revert to the original, non-signed, system, should
problems occur?

Am I correct? AFAIK, DNSSEC has no way to express policies (in a
RFC5016-like way) such as "should be signed".


--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

Follow-Ups:
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Matthijs Mekking <matthijs@NLnetLabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Brian Dickson <briand@ca.afilias.info>

References:
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: David Conrad <drc@virtualized.org>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Brian Dickson <briand@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Jelte Jansen <jelte@NLnetLabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: bert hubert <bert.hubert@netherlabs.nl>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Joe Abley <jabley@ca.afilias.info>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: Andrew Sullivan <ajs@commandprompt.com>
- Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
  - From: "Roy Arends" <roy@nominet.org.uk>

Prev by Date: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Next by Date: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Previous by thread: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Next by thread: Re: How do we get the whole world to upgrade to DNSSEC capable resolvers?
Index(es):
- Date
- Thread