[dns-operations] DNSSEC undoing independence of root-zone operators

Jim Reid jim at rfc1035.com
Tue Feb 15 22:38:18 UTC 2011 

On 15 Feb 2011, at 21:02, Phil Pennock wrote:

> TL;DR: DNSSEC as currently deployed undermines the independence of the
> DNS root-zone operators.  If each root-zone operator independently  
> signs
> and the resolvers maintain a *set* of concurrent equivalent signing
> keys, we restore the independence which Postel put in place.

What "independence" do you mean? The root wasn't really independent in  
Jon's day. The root zone operators published the zone file that Jon  
Postel maintained. He *was* the IANA back then. Today it's still IANA  
which maintains that root zone.

If anything, the roles and responsibilities are much clearer now. IANA  
manage the root zone. Verisign generate the zone file and arrange for  
its distribution. The root server operators publish it. What is gained  
by scrambling that and intermixing those clearly delimited roles and  
responsibilities with its inherent system of checks and balances? How  
would your scheme improve things or fix an actual or perceived problem?

I'm not sure there's any benefit from your suggestion. It's not clear  
what problem(s) this idea of yours solves. If anything, it would make  
it easier to fragment the name space and destabilise the Internet:  
just get the boys in black helicopters to visit an accommodating root  
signer and job done! It's also not clear if the root server operators  
would want or welcome having the responsibility for signing "their"  
version of the root and endure all the layer-9 crap and above that  
that would entail.

On a technical/operational level, how will each of these autonomously  
signed root zones deal with key rollover and synchronisation for the  
signed delegations? [Hint: that's an N-squared problem where ICANN  
expects the number of TLDs to increase at 200-1000 a year.] Suppose  
TLD1 can't/won't present their new KSK to root signer A or if A  
refuses to "do business" with TLD1. What if signer Z can't/won't pick  
up the new KSK for TLD1 at or around the same time as signer A? There  
are bound to be plenty more of these kinds of issues: those are the  
ones that immediately spring to mind.

> Constructive commentary sought.  But please read the full post before
> replying, to try to understand what I already know and what I'm
> suggesting.  In particular, I like DNSSEC and am not opposed to it,  
> only
> to an operational detail of how it's being deployed right now.

If you think this is "only an operational detail", then you need to  
take extra remedial classes in Internet politics. I recommend a few  
years of mandatory detention at ICANN, ITU and WSIS meetings. :-)

As soon as there's more than one "official" trust anchor for the root,  
it opens up a pandora's box where there would no limit to the number  
of root trust anchors and who issues them. [Where do you draw the line  
and who gets to decide? BTW imagine an Internet where say Microsoft  
applications only worked if they successfully did DNS validation  
against Microsoft's signed version of the root.] That would be very  
destabilising even if it could be made to work. For some definition of  
"work".

More information about the dns-operations mailing list