[discuss] Having several trust anchors for DNSSEC (was Re: cgi.br release...)

Andrew Sullivan ajs at anvilwalrusden.com
Tue Jan 14 15:10:46 UTC 2014

On Tue, Jan 14, 2014 at 12:17:09PM +0100, Norbert Bollow wrote:
> Mueller proposed there --having several trust anchors for DNSSEC--
> IMO still looks like a very good idea from today's perspective.

I never understood how this was supposed to result in a managable root
zone response size.  The DNSKEY RRset size would be enormous, wouldn't
it?  This issue is not addressed at all in the Kuerbis and Mueller
proposal, and every time I've asked about it I get a "look over
there!" response.
> I propose to include this in the agenda for the São Paulo meeting.

I think if the technical trade-off is shown to be realistic, it might
be a useful topic for the agenda (in particular, working out the
practical details).  If the technical issues are as serious as they've
always appeared to me to be, however, then the proposal is just wishful

I think it would be wise to take the conversation about technical
details off-list and summarize later, because I'm not convinced most
of the participants here are conversant with or interested in the
technical details of the DNS.  If we want to discuss it in the
presence of a lot of people who understand these issues (not a bad
idea), I would suggest either the IETF dnsext list (which is the list
that still exists from the now-shuttered DNS Extensions WG at the
IETF: DNSSEC was developed there), or the IETF DNSOP list, or the OARC
dns-operations list.  I can construct a pretty good argument for any
one of these to be the correct venue, but I think we should pick one
if we're going to have a list discussion.  These are all open lists,
note, so if people want to see the discussion they can.

Best regards,


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the discuss mailing list