[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers
Joe Abley
jabley at ca.afilias.info
Wed May 21 13:00:51 UTC 2008
On 21 May 2008, at 08:07, McTim wrote:
> On Wed, May 21, 2008 at 1:38 PM, Shane Kerr <Shane_Kerr at isc.org>
> wrote:
> [...]
>>
>> Now that we've seen DNS-based problems with the root in the wild,
>> perhaps it is time to consider signing ROOT-SERVERS.NET?
>>
>
> There's an idea!!, but who signs/holds the key?
> nstld at verisign-grs.com? ICANN? Bert? ;-)
The root server operators manage to coordinate loosely on other things
as a group, and their number is well-bound. It doesn't seem difficult
to imagine that they could take turns creating a key with which to
sign the one, and arrange for escrow copies to be retained by the
whole group.
The signing of the zone would presumably be done by the organisation
that currently maintains change control over it.
I believe the number of root nameserver instances which are capable of
serving signed zones (with NSEC, at least) is a matter of public record.
I'm not trying to propose policy on an operations list so much as try
to illustrate that reasonable-sounding policies that don't involve
much more cooperation and trust that already exists are not hard to
come up with.
Joe
More information about the dns-operations
mailing list