On Wed, Nov 26, 2008 at 10:50:56AM -0500, Russ Housley wrote: > I have been approached about a plenary experiment regarding > DNSSEC. The idea is for everyone to try using DNSSEC-enabled clients > during the plenary session. I like the idea. What do others think? > > Russ > nifty! jck shares my concerns. as far as I can determine, the only way this would work at all is if everyone ran their own copy of a validating resolver on their own machines, each with a manually configured suite of Trust Anchors. Now what would be a truely interesting test is to have multiple, independent implementations of RFC 5011 and agreement by the TA owners to roll their keys during the IETF... and see how the various implementations fo RFC 5011 break - or not. or - we can all run pre-beta versions of windows-7 and statically point to either of the two third-party trust anchors in the Internet, the ISC DLV registry or the ICANN-ITAR. either of which is one minor step removed from simple static configuration. then there is the tiny problem of the lack of a standard DNSSEC API - it can be as simple as a single bit (validated or not) or can have a range of options. i don't think there is consensus on what to do here. and I am dubious that there will be significant change before IETF 74. but I could be wrong and may have to show up just to see how well the IETF recreates Interop! --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise). _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf