[dns-operations] .com/.net DNSSEC operational message
Joe Abley
jabley at hopcount.ca
Fri Oct 29 21:47:20 UTC 2010
On 2010-10-29, at 17:26, Lutz Donnerhacke wrote:
> * Joe Abley wrote:
>
>> The benefit that you identified is that signing ROOT-SERVERS.NET would
>> benefit validators that had (say) a ROOT-SERVERS.NET trust anchor and/or a
>> NET trust anchor but no root trust anchor. Such a validator can't validate
>> responses from root servers for the root zone anyway. Being sure that the
>> address you sent a query to is the right one does not help you confirm that
>> the response is authentic. I don't see the benefit, here. Perhaps I'm
>> missing something?
>
> You miss the point, that the adresses for the root servers come from the
> configuration hints. It's possible to start with the hints and validate the
> correct addresses using DNSSEC signed zones from ROOT-SERVERS.NET down to
> the root itself.
>
> So a signed root-servers.net allows an trustworthy update of the root-server
> addresses starting from configured hints. There is no start from glue. It's
> just validation the local configuration. And I do see a benefit in using
> DNSSEC validation in priming operations.
Even if you have verified that you have the right address for a root server, there's nothing in the routing system that should give you cryptographic confidence that a packet sent to that address is going to arrive where you expect.
Surely the basic premise of DNSSEC is that we care about authenticating the data. My point is a more pragmatic one -- once a validator has found a root server address that serves verifiably-authentic responses, why does it care about validating the address it used?
> Please keep in mind, that the Root-Servers does not send *signed* glue, so
> there is no fear for exploding responses.
Yes, that was my thinking when I replied to Florian earlier. However...
> If the root-server is also
> responsible for a delegated zone (like GTLD-SERVERS.NET), it will include
> signed glue (if there is enough space). So Florians fears can be caught be
> preventing root-servers from serving additional zones at the same time.
... note that the root servers serve ROOT-SERVERS.NET as well as the root zone.
Joe
More information about the dns-operations
mailing list