# Paul, if we ever get DNSSEC deployed, what will/should OSRN return for # # dig ns . # # --Steven M. Bellovin, http://www.cs.columbia.edu/~smb i don't know ORSN's plans. i believe that the standard testbed methodology (and bill manning would be the one to correct me here, if i'm wrong) is to re-sign the zone with a key trusted by your client populations. this would not have been practical in the era before DS RRs, but as things stand, any root zone signed by IANA will be verifiable by testbed operators, who can re-sign the zone, including the DS RRs, and for the resulting population, everything will "just work". note, though, that i'm merely speculating -- it's possible that ORSN would just strip out the DNSKEYs and RRSIGs and DS's, and publish a zone that was free of DNSSEC metadata. i have no idea.