[dns-operations] .com/.net DNSSEC operational message
bmanning at vacation.karoshi.com
bmanning at vacation.karoshi.com
Fri Oct 29 18:45:57 UTC 2010
On Fri, Oct 29, 2010 at 01:50:38PM -0400, Joe Abley wrote:
>
> > Will ROOT-SERVERS.NET be signed eventually? This might need prior
> > software changes on the root servers, to avoid that the size of the
> > priming response goes through the roof. It also triggers are special
> > case in resolver behavior which might not occur that often.
>
> This has come up a few times.
>
> The priming query ". IN NS?" with DO=1 already includes an RRSIG over the NS set; since the data from the ROOT-SERVERS.NET zone is all additional-section courtesy glue, it's not obvious to me that signing ROOT-SERVERS.NET would increase the size of the priming response.
>
> Discussions to date have tended to conclude that there's no actual security benefit from signing the ROOT-SERVERS.NET zone. Any validator with a trust anchor for the root zone is not going to believe signed answers from a bogus root server anyway.
>
>
> Joe
Its mildly amusing to read your arguments against deploying DNSSEC signed zones.
While you might be right - that a validator with a TA for "a" root zone is not
going to beleive answers from an out-of-baliwick root server, (DNSSEC with BIND 'views'?)
it is conceiveable that there -might- be folk with at TA for NET or ROOT-SERVERS.NET.
Again, I encourage the folks who have the operational control of those zones
to sign them.
--bill
More information about the dns-operations
mailing list