[dns-operations] .com/.net DNSSEC operational message
David Conrad
drc at virtualized.org
Mon Nov 1 20:16:24 UTC 2010
On Nov 1, 2010, at 3:52 AM, Florian Weimer wrote:
> There are some servers that add RRSIGs known to them to the additional
> section.
Do any of the servers running on the root servers do this?
Joe Abley wrote:
>> Discussions to date have tended to conclude that there's no actual
>> security benefit from signing the ROOT-SERVERS.NET zone.
I disagree. There is a security benefit in being able to establish the data has not been modified regardless of from where you get the data. There is also the cognitive dissonance resulting from folks trumpeting the glories of DNSSEC yet (some would argue) a critical infrastructure zone isn't signed.
All things being equal, it should be signed. I suspect there might be some non-technical complexities in getting root-servers.net signed, but not having it signed is just wrong.
Regards,
-drc
More information about the dns-operations
mailing list