[dns-operations] DNSSEC undoing independence of root-zone operators
dnsop+phil at spodhuis.org
Tue Feb 15 22:45:08 UTC 2011
On 2011-02-15 at 14:28 -0800, David Conrad wrote:
> In your model, what would happen if a root server operator goes rogue
> (e.g., the CEO of the parent organization decides it is in the best
> interests of her stockholders to insert their own set of TLDs into
> their version of the root zone)?
The exact same thing that would happen if they did so now. My proposal
preserves the unexercised ability for root server operators to split
that they have now. It's deliberately designed so that there is no
change. DNSSEC doesn't add this ability. DNSSEC with only a single set
of keys used to sign the root does take it away.
As to what would happen: a lot of chaos and confusion slowly fading as
the ISPs (or other providers of recursive service) decide which root
servers (or announced paths to anycasted root servers) to accept.
Eg, when I was an ISP hostmaster and the Verisign wildcard-in-.com
debacle occurred, I asked "what happens if a wildcard appears in the
My proposed policy was accepted: we agreed in principle with RFC 2826's
Unique DNS Root stance, but if we ever saw the root zone mismanaged,
such as by the introduction of wildcards to commercial advantage, then
we would choose the most stable and sane alternative root to switch to.
Not to get new TLDs, but to have a stable operational service.
As long as nothing was abused, nothing needed to change, but we laid out
the scenario for when we would change. In the meantime, a state of
After all, the Internet is comprised of cooperating autonomous networks,
most of whom can't be *forced* to implement things a certain way. It
makes good operational sense to stick with the normal root zone, as long
as it was managed sanely. It's mutually beneficial to have a single
stable root, as long as it's not censored. But each operator of a
server *can* choose where to get their data from. The ability to make
that choice is different from exercising that choice.
There's a difference between *choosing* to do nothing, and just ignoring
the issue. This is detente.
More information about the dns-operations