To:
"D. J. Bernstein" <djb@cr.yp.to>
Cc:
iesg@ietf.org, dnsop@cafax.se
From:
Mark Kosters <markk@netsol.com>
Date:
Tue, 21 Mar 2000 09:43:03 -0500
In-Reply-To:
<20000321102427.8975.qmail@cr.yp.to>
Sender:
owner-dnsop@cafax.se
Subject:
Re: Last Call: Root Name Server Operational Requirements to BCP
On Tue, Mar 21, 2000 at 10:24:27AM -0000, D. J. Bernstein wrote: > I wrote: > : For example, 3.3.2 says that root servers ``MUST be DNSSEC-capable,'' > : but NSI says that the current servers would choke if DNSSEC were used. > > In fact, it turns out that the current version of BIND _crashes_ if you > give it a secure zone. > > I realize that the IESG wants to encourage people to support DNSSEC. But > calling it ``best current practice'' is fraudulent. Dan - the next sentence in 3.3.2 says: It is understood that DNSSEC is not yet deployable on some common platforms, but will be deployed when supported. So, when DNSSEC is ready with a implementation that is robust and scalable, the root servers must be able to support it. IMHO, there is nothing fraudulent about that. Mark -- Mark Kosters markk@netsol.com Network Solutions, Inc. PGP Key fingerprint = 1A 2A 92 F8 8E D3 47 F9 15 65 80 87 68 13 F6 48