[dns-operations] .com/.net DNSSEC operational message
jabley at hopcount.ca
Fri Oct 29 19:29:29 UTC 2010
On 2010-10-29, at 15:03, bmanning at vacation.karoshi.com wrote:
>> There's an assessment to be made of benefit vs. risk in this, as with all things.
> this is the second time I've heard the beginings of justification for not signing
> the whole tree. it can be a compelling argument - but kind of leaves open the
> question about "islands of trust" and the requirement to be able to support
> multiple Trust Anchors et.al.
Again, I'm talking about a very specific zone, with a very specific and slightly unusual purpose. I'm not sure why you're trying to expand this line of thinking to cover the whole DNS, because clearly the benefits for other zones are different.
A validator with an empty cache that was trying to find a secure answer to (e.g.) B.ROOT-SERVERS.NET IN A? would need to perform a bottom-up traversal to a DNSKEY it had a trust anchor for before the secure answer could be validated. In the expected/usual case, where a validator is configured with a trust anchor for the root zone, this means that it needs to send queries to a root server without the prior benefit of having a secure answer for the root server's address. In effect, the secure answer from the ROOT-SERVERS.NET zone provides no additional security, since validation of the answer requires you to infer trust in an address of a root server by having received authentic root-zone information from it.
The benefit that you identified is that signing ROOT-SERVERS.NET would benefit validators that had (say) a ROOT-SERVERS.NET trust anchor and/or a NET trust anchor but no root trust anchor. Such a validator can't validate responses from root servers for the root zone anyway. Being sure that the address you sent a query to is the right one does not help you confirm that the response is authentic. I don't see the benefit, here. Perhaps I'm missing something?
>> I'm not arguing that ROOT-SERVERS.NET should not be signed, but rather relating a lack of identified benefit. As with all operational changes, there is non-zero cost/risk in doing so. It seems only reasonable to identify a clear benefit before deciding to make a change.
> Turning your question on its head, whats the benefit in NOT signing the zone?
I don't understand the upside-down question. It's already not signed.
> As to risk, your earlier missive suggests the risk is low, as to cost, the parties
> have already sunk cost in deploying signing infrastructure, one small zone is
> going to be inconsiquental.
I think the risk to DNS operations is low, but we've done no experiments to give us comfort that this is the case.
The costs of signing ROOT-SERVERS.NET are non-zero, no matter how low you think they are, since they require additional operational processes, documentation, practice statements and perhaps (if we avoid making assumptions about how people like to build their infrastructure) key storage and signing hardware.
If someone could point out a tangible benefit of signing this particular, unusual zone, it'd be much easier to make a case for doing so.
More information about the dns-operations