[dns-operations] .com/.net DNSSEC operational message
Lutz Donnerhacke
lutz at iks-jena.de
Fri Oct 29 21:26:02 UTC 2010
* Joe Abley wrote:
> The benefit that you identified is that signing ROOT-SERVERS.NET would
> benefit validators that had (say) a ROOT-SERVERS.NET trust anchor and/or a
> NET trust anchor but no root trust anchor. Such a validator can't validate
> responses from root servers for the root zone anyway. Being sure that the
> address you sent a query to is the right one does not help you confirm that
> the response is authentic. I don't see the benefit, here. Perhaps I'm
> missing something?
You miss the point, that the adresses for the root servers come from the
configuration hints. It's possible to start with the hints and validate the
correct addresses using DNSSEC signed zones from ROOT-SERVERS.NET down to
the root itself.
So a signed root-servers.net allows an trustworthy update of the root-server
addresses starting from configured hints. There is no start from glue. It's
just validation the local configuration. And I do see a benefit in using
DNSSEC validation in priming operations.
Please keep in mind, that the Root-Servers does not send *signed* glue, so
there is no fear for exploding responses. If the root-server is also
responsible for a delegated zone (like GTLD-SERVERS.NET), it will include
signed glue (if there is enough space). So Florians fears can be caught be
preventing root-servers from serving additional zones at the same time.
More information about the dns-operations
mailing list