[dns-operations] .com/.net DNSSEC operational message

Florian Weimer fweimer at bfk.de
Mon Nov 1 13:52:53 UTC 2010

* Joe Abley:

> The priming query ". IN NS?" with DO=1 already includes an RRSIG
> over the NS set; since the data from the ROOT-SERVERS.NET zone is
> all additional-section courtesy glue, it's not obvious to me that
> signing ROOT-SERVERS.NET would increase the size of the priming
> response.

There are some servers that add RRSIGs known to them to the additional
section.  I'm pretty certain we don't want them on the priming

> Discussions to date have tended to conclude that there's no actual
> security benefit from signing the ROOT-SERVERS.NET zone.

I'm not sure I agree with that.  If there's ever another practical
blind spoofing vulnerability, having a signed ROOT-SERVERS.NET zone
seems desirable because it's the only way you can be sure that you're
talking to the right addresses, sort of additional protocol

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the dns-operations mailing list