[dns-operations] DNSSEC undoing independence of root-zone operators

Paul Vixie vixie at isc.org
Tue Feb 15 21:46:03 UTC 2011


> Date: Tue, 15 Feb 2011 16:02:35 -0500
> From: Phil Pennock <dnsop+phil at spodhuis.org>
> 
> TL;DR: DNSSEC as currently deployed undermines the independence of the
> DNS root-zone operators.  If each root-zone operator independently signs
> and the resolvers maintain a *set* of concurrent equivalent signing
> keys, we restore the independence which Postel put in place.

i was there and i know what postel put in place and dnssec is fine by it.

your term "each root-zone operator" shows considerable misunderstanding.
there is "a" root zone and "an" operator for that.  private name spaces
are well supported by the dnssec model in that they can each have their
own "root key".

it's possible that mixed namespaces having elements from several private
namespaces as well as the public namespace will have a stake driven through
its dark heart by the universal deployment of dnssec.  if so, excelsior!



More information about the dns-operations mailing list