[dns-operations] DNSSEC undoing independence of root-zone operators

Phil Pennock dnsop+phil at spodhuis.org
Tue Feb 15 21:02:35 UTC 2011


TL;DR: DNSSEC as currently deployed undermines the independence of the
DNS root-zone operators.  If each root-zone operator independently signs
and the resolvers maintain a *set* of concurrent equivalent signing
keys, we restore the independence which Postel put in place.

Blog post:
(no ads, I make no money by pimping this)

I've run this by three experienced operators and the view from all was
that I'm running smack into too much politics, but not that I'm wrong.
I normally try to avoid the politics, but I think that this time it's
too important.

Note that there should be no additional burden for resolver operators,
as whatever manages root zone key updates automatically now "just" needs
to handle asking each root and getting a full set of updates, whether
this is an external tool or built-in to the server; cf unbound's
"auto-trust-anchor-file" which would just grab a bunch more keys at
once.  For the root server operators, they have to sort out a signing
process themselves, but that cost is balanced by what it buys: continued

Constructive commentary sought.  But please read the full post before
replying, to try to understand what I already know and what I'm
suggesting.  In particular, I like DNSSEC and am not opposed to it, only
to an operational detail of how it's being deployed right now.


More information about the dns-operations mailing list