[dns-operations] signing root-servers.net [Re: .com/.net DNSSEC operational message]

Peter Koch pk at DENIC.DE
Fri Oct 29 21:41:46 UTC 2010


On Fri, Oct 29, 2010 at 03:29:29PM -0400, Joe Abley wrote:

> In effect, the secure answer from the ROOT-SERVERS.NET zone provides no additional security, since validation of the answer requires you to infer trust in an address of a root server by having received authentic root-zone information from it.

i.o.w: DNSSEC doesn't sign delegations and thus the "delegation" of the "."
by the root.hints files of the world dosn't require it, either.

The more practical problem is that as long as the root servers' names
reside within root-servers.net, even a signed priming response isn't
self contained and complicates matters.

<http://tools.ietf.org/wg/dnsop/draft-ietf-dnsop-resolver-priming/>
contains part of that discussion and reflects the results of the results
discussion of the IETF DNSOP WG on this topic.
Followup to <dnsop at ietf.org>, please.

-Peter



More information about the dns-operations mailing list