To add to Sebastian's response ...
On 29/07/2010, at 1:02 AM, Anton Smith wrote:
What, if any, impact is there or will there be on
zones that are not signed/dnssec compliant?
What is the timeline for cutoff (if any), i.e. will there come a time when any system not
compliant will simply be "cut off"?
We know that desktop operating systems will soon be capable of local DNSSEC validation and
so there will have to be local configuration options available along the lines of:
1. don't use DNSSEC
2. use DNSSEC where it is available
3. only use DNSSEC
I imagine that most sysadmins will configure the desktops within their control to option 2
for the foreseeable future. It may turn out in many years, says 5 to 10, that the general
setting is option 3, but there is always the possibility that a significant proportion of
domains do not sign and so that move is indefinitely delayed.
Last year in an open meeting, the .cn (China) registry suggested that they might never be
allowed to sign because the root keys are ultimately held by a US organisation, and so
were concerned that if we ever got to a stage where many people were selecting option 3,
then they would be effectively partitioned off from the rest of the Internet. I suspect
political considerations like that will take some time to overcome.
NZNOG mailing list
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840