[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Paul Vixie paul at vix.com
Tue May 27 05:47:49 UTC 2008


> > % dig @ns.iana.org . axfr
> 
> please have IANA let f-root know if we should fetch the root zone from
> ns.iana.org rather than from wherever we're getting it today.

oh and one more related thing.  speaking as an ORSN operator, is it possible
that IANA could create a signed zone file with different NS RRs at the top, so
that folks who want to serve a secure root zone containing exactly and only
IANA data, can do so with their own apex NS RRset?  note, there's no way such
an operator could make other changes (like inserting or non-IANA TLD's,
deleting IANA TLD's, or changing any other NS RRset) since IANA's signatures
would uniquely cover the IANA-originated data, including proofs of
nonexistence of all intersticial namespaces.  i suspect that any number of
test beds and more than a few inside-the-ISP root nameservers would like to
be able to publish the IANA namespace but with their own apex NS RRset.  if
IANA really is getting into the business of signing root zones, can this be
another log on that fire please?

(note, i'm asking for this because i know i can't have what i really want,
which is the root zone, signed, and published by the actual root name servers.)



More information about the dns-operations mailing list