[dns-operations] DNSSEC undoing independence of root-zone operators
phoffman at proper.com
Tue Feb 15 21:20:57 UTC 2011
On 2/15/11 1:02 PM, Phil Pennock wrote:
> TL;DR: DNSSEC as currently deployed undermines the independence of the
> DNS root-zone operators.
Which "independence" is this? Almost no one wants any root zone operator
to have the "independence" to say that the NS records for .com are now
ns.gave-vixie-20million.ir and ns.corrupted-the-swedes.eu. Why then
would I care if all the repeated data is signed with a repeated signature?
> If each root-zone operator independently signs
> and the resolvers maintain a *set* of concurrent equivalent signing
> keys, we restore the independence which Postel put in place.
It is very poor taste to attribute intentions to someone who can no
longer defend themselves.
I note that your blog post does not say that Postel put "independence"
of the root operators in place; maybe don't say so in your summary. In
fact, you only use "independence" in your entire post.
More information about the dns-operations