[dns-operations] .com/.net DNSSEC operational message

Joe Abley jabley at hopcount.ca
Fri Oct 29 17:50:38 UTC 2010


On 2010-10-29, at 13:18, Florian Weimer wrote:

> * Matt Larson:
> 
>> December 9, 2010: The .net key material will be unobscured and the
>> .net zone will be usable for DNSSEC validation.  DS records for .net
>> will appear in the root zone shortly thereafter.
> 
> Will ROOT-SERVERS.NET be signed eventually?  This might need prior
> software changes on the root servers, to avoid that the size of the
> priming response goes through the roof.  It also triggers are special
> case in resolver behavior which might not occur that often.

This has come up a few times.

The priming query ". IN NS?" with DO=1 already includes an RRSIG over the NS set; since the data from the ROOT-SERVERS.NET zone is all additional-section courtesy glue, it's not obvious to me that signing ROOT-SERVERS.NET would increase the size of the priming response.

Discussions to date have tended to conclude that there's no actual security benefit from signing the ROOT-SERVERS.NET zone. Any validator with a trust anchor for the root zone is not going to believe signed answers from a bogus root server anyway.


Joe


More information about the dns-operations mailing list