[dns-operations] DNSSEC impact on applications was Re: security-aware stub resolver

Lutz Donnerhacke lutz at iks-jena.de
Tue May 27 08:13:03 UTC 2008

* Paul Vixie wrote:
> oh and one more related thing.  speaking as an ORSN operator, is it possible
> that IANA could create a signed zone file with different NS RRs at the top, so
> that folks who want to serve a secure root zone containing exactly and only
> IANA data, can do so with their own apex NS RRset?

That would be fine, but still unuseable. IANA DNSSEC test bed does
experiment with DNSSEC failures, so it is no production grade root.

> i suspect that any number of
> test beds and more than a few inside-the-ISP root nameservers would like to
> be able to publish the IANA namespace but with their own apex NS RRset.  if
> IANA really is getting into the business of signing root zones, can this be
> another log on that fire please?
> (note, i'm asking for this because i know i can't have what i really want,
> which is the root zone, signed, and published by the actual root name servers.)

You can use an signed root with other NS (even for arpa and other IANA based
zones): https://www.iks-jena.de/leistungen/keys.txt

More information about the dns-operations mailing list