[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Joe Abley jabley at ca.afilias.info
Wed May 21 13:00:51 UTC 2008

On 21 May 2008, at 08:07, McTim wrote:

> On Wed, May 21, 2008 at 1:38 PM, Shane Kerr <Shane_Kerr at isc.org>  
> wrote:
> [...]
>> Now that we've seen DNS-based problems with the root in the wild,
>> perhaps it is time to consider signing ROOT-SERVERS.NET?
> There's an idea!!, but who signs/holds the key?
> nstld at verisign-grs.com? ICANN? Bert? ;-)

The root server operators manage to coordinate loosely on other things  
as a group, and their number is well-bound. It doesn't seem difficult  
to imagine that they could take turns creating a key with which to  
sign the one, and arrange for escrow copies to be retained by the  
whole group.

The signing of the zone would presumably be done by the organisation  
that currently maintains change control over it.

I believe the number of root nameserver instances which are capable of  
serving signed zones (with NSEC, at least) is a matter of public record.

I'm not trying to propose policy on an operations list so much as try  
to illustrate that reasonable-sounding policies that don't involve  
much more cooperation and trust that already exists are not hard to  
come up with.


More information about the dns-operations mailing list