On Thu, Nov 27, 2008 at 03:52:50PM -0500, Steve Crocker wrote: > > All of the above should invisible unless the end system explicitly > invokes the DNSSEC-compliant recursive resolver AND asks for a signed > response. > > > Steve for me, this statement is the crux of the issue. it is crucial for there to be signed infrastructure. no question about that. but for what purpose? as noted elsewhere in this thread, the IETF network has already implemented signed zones in the past (Dallas) and actually had an application under test (FreeSwan). for those of us who already run DNSSEC validators on our local machines, I welcome the idea of a persistent signed IETF infrastructure. (e.g. there will not be "the" DNSSEC compliant recursive resolver... there will be many of them. but that is not the subject of an experiment. i beleive that some clarity would be helpful here. if the folks in charge would clearly state what the experiment is, expected outcome, how the community will be able to gauge the success or failure of the experiment, and future actions... then much of the discussion would disipate or shift. back to my question - to what purpose? if all this is invisible to the end-system, of what purpose is the exercise of creating signed data? I think that there should be some nod to end-system awareness/impact. And the primary point of visability (under the IETF control) is key roll. at least imho. others will no doubt have their own points. I look forward to more clarification on this proposed experiment. --bill Opinions expressed may not even be mine by the time you read them, and certainly don't reflect those of any other entity (legal or otherwise). _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf