[dns-operations] .com/.net DNSSEC operational message

Robert Edmonds edmonds at isc.org
Mon Nov 1 20:56:17 UTC 2010

David Conrad wrote:
> Joe Abley wrote:
> >> Discussions to date have tended to conclude that there's no actual
> >> security benefit from signing the ROOT-SERVERS.NET zone.
> I disagree. There is a security benefit in being able to establish the
> data has not been modified regardless of from where you get the data.
> There is also the cognitive dissonance resulting from folks trumpeting
> the glories of DNSSEC yet (some would argue) a critical infrastructure
> zone isn't signed.
> All things being equal, it should be signed.  I suspect there might be
> some non-technical complexities in getting root-servers.net signed,
> but not having it signed is just wrong.

if the root nameserver address records were in the root zone -- e.g.,
A., B., et al instead of A.ROOT-SERVERS.NET., B.ROOT-SERVERS.NET., et
al, or perhaps A.ROOT., B.ROOT., et al, with ROOT being an interior
label rather than a zone cut -- there'd be no need to argue over whether
there are security benefits in signing the zone containing the root
nameserver address records :)

what exactly are the historical reasons for storing the root nameserver
address records in a zone separate from the root zone?

Robert Edmonds
edmonds at isc.org

More information about the dns-operations mailing list