Re: Interim signing of the root zone.

[Ólafur Guðmundsson <ogud@ogud.com>]

At 14:10 2002-10-07, Bill Manning wrote:
>  some concerns:
>
>         DS only works in snapshot code.  And the publicly availble
>         snapshots have known, serious operational problems. We -REALLY-
>         need more stable code before committing this to production.

Bill this is version 00 of the draft, your concerns are noted but
this particular experiment is not starting next week or next month.
This is the documentation for the experiment and Johan is seeking feedback.

>         there are some indications from the root testbed that there
>         are fatal interactions with some released versions of DNS
>         code.  further controlled testing should be done.

Agreed.


>         the selection of RIRs.  RIRs -DO- have the DNS as a primary
>         field of activity.  (see in-addr.arpa.) The holders of
>         forward space (.SE, DE, NL, etc.) become disinfranchised
>         "customers".

RIR are geographically competent operators for this experiment,
for future production Layer 9 will become involved.


>         "sufficient number" and "out-of-band" are concepts that
>         really need some concrete recommendations.

Yes, suggestions.

>         key duration should be better fleshed out. Experiences from
>         the existing testbed may be useful.

yes, suggestions please,
as well as key length key set size etc, etc.


>         key publication methods have been explored but do need further
>         work.

agreed, this is one of many the research programs that this experiment
will hopefully shed some light on what works and what does not.
Issues involve:
         - DS or KEY as published record
         - where to publish
         - is there a way to auto-configure resolvers trusted keying list

         Olafur

         Olafur