[governance] DNSSEC, was USG on ICANN - no movement here
Arno Meulenkamp
arno at ripe.net
Mon Aug 11 17:20:06 EDT 2008
Hi Avri, John,
John Levine wrote:
>> doesn't DNSSEC, once fully in place, lock us into the ICANN approved
>> root with no chance for variation? would DNSEC knock the ORSN model
>> out?
>
> Not really.
<...>
> The trust anchor for a non-IANA root would be differerent from the one
> for the IANA root. But just as you configure different root server IP
> addresses to pick your favorite root, you'll configure the
> corresponding trust anchor.
Of course, the "official" root server operators currently have the
possibility to serve whatever data they please. That possibility
will no longer be there once DNSSEC is in place. (for all DNSSEC
verifying resolvers, that is)
For instance, in the case of Verisign adding a wildcard to the .com
zone, there were secondaries that took out that resource record.
DNSSEC will put a stop to the option of secondaries to change the
content of the zone.
As to alternate roots, like John said, there is effectively no
change with the addition of DNSSEC, although people choosing an
alternate root need to also know to change their trust anchor.
regards,
Arno
____________________________________________________________
You received this message as a subscriber on the list:
governance at lists.cpsr.org
To be removed from the list, send any message to:
governance-unsubscribe at lists.cpsr.org
For all list information and functions, see:
http://lists.cpsr.org/lists/info/governance
More information about the Governance
mailing list