[dns-operations] .com/.net DNSSEC operational message

George Barwood george.barwood at blueyonder.co.uk
Fri Oct 29 21:54:28 UTC 2010


----- Original Message ----- 
From: "Joe Abley" <jabley at hopcount.ca>
To: <bmanning at vacation.karoshi.com>
Cc: "DNS-OARC DNS Operations" <dns-operations at mail.dns-oarc.net>; "Florian Weimer" <fweimer at bfk.de>
Sent: Friday, October 29, 2010 8:29 PM
Subject: Re: [dns-operations] .com/.net DNSSEC operational message


> The costs of signing ROOT-SERVERS.NET are non-zero, no matter how low you think they are, since they require additional operational processes, documentation, practice statements and perhaps (if we avoid making assumptions about how people like to build their infrastructure) key storage and signing hardware.
> 
> If someone could point out a tangible benefit of signing this particular, unusual zone, it'd be much easier to make a case for doing so.

A single successful spoof of  the priming query allows an attacker to intercept and log all queries to the root
( assuming root-servers.net is left unsigned ).

This would be a reduction of privacy and also allows selective (at the TLD level) or general denial of service.

Whether you regard this as a tangible benefit is a matter of taste I guess.

George


More information about the dns-operations mailing list