[dns-operations] .com/.net DNSSEC operational message

Matt Larson mlarson at verisign.com
Fri Oct 29 19:36:12 UTC 2010


On Fri, 29 Oct 2010, Bill Manning wrote:
> it is conceiveable that there -might- be folk with at TA for NET or
> ROOT-SERVERS.NET.

I would hope no one configures a trust anchor for .net.  While
certainly such configuration can't be prevented, VeriSign has stated
repeatedly--and I will state it again here for the record--that we
will not be using RFC 5011 semantics when we roll the KSK for .com and
.net.  There will be DS records for the .com and .net KSKs in the root
and the path for trusting .com and .net is via the trusting the signed
root.  Such is the convenience of having a signed parent.

As for root-servers.net, if it is ever signed, it would also benefit
from a signed parent (.net).  It's hard to imagine why we'd want to
draw attention to the root-servers.net KSK by publishing it as a trust
anchor or using RFC 5011 when rolling the KSK because, again, there's
a signed parent that can hold the root-servers.net DS record.

My point here is simply that the argument for signing root-servers.net
based on the possible existence of validators configured with .net or
root-servers.net trust anchors is a weak one based on emerging DNSSEC
operational reality for these zones.

Matt





More information about the dns-operations mailing list