[dns-operations] DNSSEC undoing independence of root-zone operators

Joe Abley jabley at hopcount.ca
Tue Feb 15 21:20:46 UTC 2011

On 2011-02-15, at 16:02, Phil Pennock wrote:

> TL;DR: DNSSEC as currently deployed undermines the independence of the
> DNS root-zone operators.  If each root-zone operator independently signs
> and the resolvers maintain a *set* of concurrent equivalent signing
> keys, we restore the independence which Postel put in place.

The root server operators have never independently influenced the contents of the root zone -- we just serve what we are given. Independently signing the root zone would mean that we had changed the scope of our role to include changing the contents of the zone.

Root server operators continue to act automomously in their planning and deployment of root server infrastructure. There is no change to this due to the deployment of DNSSEC in the root zone.

If root server operators were to start individually signing the root zone, the attack surface for the keys used would increase, there might well be reduced accountability for how the keys were managed, and the role of root server operators would be changed from serving the root zone to taking responsibility for editing it. It's not clear to me that anybody wants this.

Your logic seems to derive from the hard expectation that root server operators stand ready to edit the root zone in the event that it changes in a way that displeases them. I'm not sure where that expectation comes from. Can you cite references?

A point of clarification with reference to the blog post: the keys used to sign the root zone are in fact split between two organisations, ICANN and VeriSign (your post says just one key is used). Both organisations collaborate in order to sign the root zone.


More information about the dns-operations mailing list