[dnssec-deployment] A gazillion new TLDs
Ed.Lewis at neustar.biz
Fri Jun 27 08:38:26 EDT 2008
At 8:18 -0400 6/27/08, George M Jones wrote:
>That's the technical end of it. A shell script can handle that.
<sarcasm> ;) Yeah, shell scripts really scale well.
>I was wondering about the complexity of dealing with larger #s of
>organizations with differing technical ability, different motivations,
>different processes, more chances for things to go wrong, more keys
>to manage, >etc....
I think there are technical challenges, but nothing novel.
If the assumption is that there will be a million names in the root
zone, does ICANN today operate a registry on the scale of today's
million-name TLD operators? I.e., does ICANN do EPP, WhoIs, etc.?
Does ICANN have an established relationship with it's DNS operators?
These are the questions ICANN asked of the bidders for TLDs in the
past. If the growth is explosive, will ICANN rush to out source the
Maybe the root won't become than mammoth. Maybe the demand for a TLD
isn't the same as the demand to have one's names in many TLDs. I
don't know what gating function will be able to keep the root zone
both tractable and stable yet be fair in determining who gets a
delegation. If the gating is purely money, then I have a hunch there
will be all sorts of bureaucratic problems. If the price is well
above cost and ICANN develops deep pockets it becomes a target and
all that money is money not invested in the industry they regulate.
>maybe its a non-issue (I hope) or off topic, but I was wondering if
>anyone sees scaling issues that might impact security/deployability.
It will depend on who the root grows. Scaling issues are not linear,
there are thresholds where systems become more complex. Thresholds
aren't just fixed numbers, they are bands and often times one crosses
through one without knowing and then faces the problems.
Besides - change is always a problem for security. Any change.
Edward Lewis +1-571-434-5468
Never confuse activity with progress. Activity pays more.
More information about the Dnssec-deployment