To add to Sebastian's response ...

On 29/07/2010, at 1:02 AM, Anton Smith wrote:

What, if any, impact is there or will there be on zones that are not signed/dnssec compliant?

What is the timeline for cutoff (if any), i.e. will there come a time when any system not compliant will simply be "cut off"?

We know that desktop operating systems will soon be capable of local DNSSEC validation and so there will have to be local configuration options available along the lines of:

1. don't use DNSSEC
2. use DNSSEC where it is available 
3. only use DNSSEC

I imagine that most sysadmins will configure the desktops within their control to option 2 for the foreseeable future.  It may turn out in many years, says 5 to 10, that the general setting is option 3, but there is always the possibility that a significant proportion of domains do not sign and so that move is indefinitely delayed.

Last year in an open meeting, the .cn (China) registry suggested that they might never be allowed to sign because the root keys are ultimately held by a US organisation, and so were concerned that if we ever got to a stage where many people were selecting option 3, then they would be effectively partitioned off from the rest of the Internet.  I suspect political considerations like that will take some time to overcome.

cheers
Jay



Regards,
Anton
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog


-- 
Jay Daley
Chief Executive
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 931 6977
mobile: +64 21 678840