> The alternative is to direct IANA to collect, maintain and > distribute this information to the DLV operators in the > absence of a signed root. This would give a trusted path > for data entry into the general DLV trees. > > I don't see why the information would be distributed only to DLV operators. Asking IANA to publish this data on a suitably updated web page for the information of the community would enable both DLV operators to use it as well as anyone who wanted to configure those trust anchors without DLV. As others have put this, a trust anchor registry outside the DNS may retain the basic mechanisms of DNSSEC better, while allowing folks to move past the current issues with a signed root. The underlying issue, of course, is how many TLD operators would publish in a trust anchor registry if it is made available; hopefully enough to provide convincing evidence that a signed root will be worth the operational issues around protecting the keying material. I'm more worried that providing this registry (whether in DLV form or some other form) will either delay work on signing the root or that the response will be so anemic that folks will *assume* it would be similarly anemic in the case of signed root. In order of priority, in other words, my personal preferences are: sign the root, put up a trust anchor registry outside the DNS, feed the data to external DLVs, and set up a new DLV. regards, Ted _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf