On Jan 24, 2011, at 8:48 PM, Randy Bush wrote:
And now that DNSSEC is deployed
and you are not sharing what you are smoking
root and .arpa are signed, well on the way, particularly relative to RPKI. Incremental cost of signing in-addr.arpa using a deployed DNS system as opposed to continuing development, deployment and operationalizing and dealing with all the political issues with deploying a new RPKI system -- hrmm. And again, I'm not opposed to RPKI and know we REQUIRE number resource certification before we can secure the routing system. I just don't like the notion of deploying a brand new system with data that at the end of the day is going to look an awful lot like the existing in-addr.arpa delegation system that's deployed, and introduce new hierarchical shared dependencies that don't exist today. Keep it simple? -danny