[dns-operations] DNSSEC undoing independence of root-zone operators

Paul Hoffman phoffman at proper.com
Tue Feb 15 21:20:57 UTC 2011


On 2/15/11 1:02 PM, Phil Pennock wrote:
> Folks,
>
> TL;DR: DNSSEC as currently deployed undermines the independence of the
> DNS root-zone operators.

Which "independence" is this? Almost no one wants any root zone operator 
to have the "independence" to say that the NS records for .com are now 
ns.gave-vixie-20million.ir and ns.corrupted-the-swedes.eu. Why then 
would I care if all the repeated data is signed with a repeated signature?

> If each root-zone operator independently signs
> and the resolvers maintain a *set* of concurrent equivalent signing
> keys, we restore the independence which Postel put in place.

It is very poor taste to attribute intentions to someone who can no 
longer defend themselves.

I note that your blog post does not say that Postel put "independence" 
of the root operators in place; maybe don't say so in your summary. In 
fact, you only use "independence" in your entire post.

--Paul Hoffman



More information about the dns-operations mailing list