[dns-operations] .com/.net DNSSEC operational message
Robert Edmonds
edmonds at isc.org
Mon Nov 1 20:56:17 UTC 2010
David Conrad wrote:
> Joe Abley wrote:
> >> Discussions to date have tended to conclude that there's no actual
> >> security benefit from signing the ROOT-SERVERS.NET zone.
>
> I disagree. There is a security benefit in being able to establish the
> data has not been modified regardless of from where you get the data.
> There is also the cognitive dissonance resulting from folks trumpeting
> the glories of DNSSEC yet (some would argue) a critical infrastructure
> zone isn't signed.
>
> All things being equal, it should be signed. I suspect there might be
> some non-technical complexities in getting root-servers.net signed,
> but not having it signed is just wrong.
if the root nameserver address records were in the root zone -- e.g.,
A., B., et al instead of A.ROOT-SERVERS.NET., B.ROOT-SERVERS.NET., et
al, or perhaps A.ROOT., B.ROOT., et al, with ROOT being an interior
label rather than a zone cut -- there'd be no need to argue over whether
there are security benefits in signing the zone containing the root
nameserver address records :)
what exactly are the historical reasons for storing the root nameserver
address records in a zone separate from the root zone?
--
Robert Edmonds
edmonds at isc.org
More information about the dns-operations
mailing list