On 2011-01-24, at 20:59, Danny McPherson wrote:
On Jan 24, 2011, at 8:48 PM, Randy Bush wrote:
And now that DNSSEC is deployed
and you are not sharing what you are smoking
root and .arpa are signed, well on the way, particularly relative to RPKI.
Incremental cost of signing in-addr.arpa using a deployed DNS system as opposed to continuing development, deployment and operationalizing and dealing with all the political issues with deploying a new RPKI system -- hrmm.
IN-ADDR.ARPA will be signed relatively soon, as part of the work described here: http://in-addr-transition.icann.org/ Timeline to follow, here and other similar lists, some time relatively soon. But I'm curious about your thoughts on the case I mentioned in my last message. I don't think the existence of a secure delegation chain from the root down to operator of the last sub-allocated address block is all that is required, here. Joe