Tomofumi, On Sep 21, 2014, at 9:41 PM, Tomofumi Okubo <tomofumi.okubo@gmail.com> wrote:
I think the huge difference between the CA business and Root DNSSEC is that there is no going out-of-business for Root DNSSEC.
I agree 100%, which is why I tend to be (perhaps overly) concerned with minimizing risks.
It doesn’t matter how ugly it gets, we have no option but to recover and keep on providing the service at all costs.
I don’t think there is any disagreement here on this issue. The question is how risks are mitigated. AFAICT, there is an assumption that there are two modes of potential failure: (a) a catastrophic failure in which the only option is re-bootstrapping and (b) a non-catastrophic failure in which 5011 is a (potentially) viable solution. Is anyone arguing that we do not need to be prepared for (a), regardless of how unlikely it might be? What exactly does (b) look like? That is, what is a non-catastrophic failure that would necessitate a key roll? Regards, -drc