[dns-operations] DNSSEC undoing independence of root-zone operators
jim at rfc1035.com
Tue Feb 15 22:38:18 UTC 2011
On 15 Feb 2011, at 21:02, Phil Pennock wrote:
> TL;DR: DNSSEC as currently deployed undermines the independence of the
> DNS root-zone operators. If each root-zone operator independently
> and the resolvers maintain a *set* of concurrent equivalent signing
> keys, we restore the independence which Postel put in place.
What "independence" do you mean? The root wasn't really independent in
Jon's day. The root zone operators published the zone file that Jon
Postel maintained. He *was* the IANA back then. Today it's still IANA
which maintains that root zone.
If anything, the roles and responsibilities are much clearer now. IANA
manage the root zone. Verisign generate the zone file and arrange for
its distribution. The root server operators publish it. What is gained
by scrambling that and intermixing those clearly delimited roles and
responsibilities with its inherent system of checks and balances? How
would your scheme improve things or fix an actual or perceived problem?
I'm not sure there's any benefit from your suggestion. It's not clear
what problem(s) this idea of yours solves. If anything, it would make
it easier to fragment the name space and destabilise the Internet:
just get the boys in black helicopters to visit an accommodating root
signer and job done! It's also not clear if the root server operators
would want or welcome having the responsibility for signing "their"
version of the root and endure all the layer-9 crap and above that
that would entail.
On a technical/operational level, how will each of these autonomously
signed root zones deal with key rollover and synchronisation for the
signed delegations? [Hint: that's an N-squared problem where ICANN
expects the number of TLDs to increase at 200-1000 a year.] Suppose
TLD1 can't/won't present their new KSK to root signer A or if A
refuses to "do business" with TLD1. What if signer Z can't/won't pick
up the new KSK for TLD1 at or around the same time as signer A? There
are bound to be plenty more of these kinds of issues: those are the
ones that immediately spring to mind.
> Constructive commentary sought. But please read the full post before
> replying, to try to understand what I already know and what I'm
> suggesting. In particular, I like DNSSEC and am not opposed to it,
> to an operational detail of how it's being deployed right now.
If you think this is "only an operational detail", then you need to
take extra remedial classes in Internet politics. I recommend a few
years of mandatory detention at ICANN, ITU and WSIS meetings. :-)
As soon as there's more than one "official" trust anchor for the root,
it opens up a pandora's box where there would no limit to the number
of root trust anchors and who issues them. [Where do you draw the line
and who gets to decide? BTW imagine an Internet where say Microsoft
applications only worked if they successfully did DNS validation
against Microsoft's signed version of the root.] That would be very
destabilising even if it could be made to work. For some definition of
More information about the dns-operations