[dns-operations] DNSSEC undoing independence of root-zone operators

David Conrad drc at virtualized.org
Tue Feb 15 23:06:01 UTC 2011


On Feb 15, 2011, at 2:45 PM, Phil Pennock wrote:
> My proposal
> preserves the unexercised ability for root server operators to split
> that they have now.

As several people, some of which actually are root server operators, have already pointed out, you are assuming an ability that does not necessarily exist.

> It's deliberately designed so that there is no
> change.  DNSSEC doesn't add this ability.  DNSSEC with only a single set
> of keys used to sign the root does take it away.

Say the Illuminati force VeriSign to remove .US from the root zone and publish it.  

Current solution: resolver operators take action (presumably to reinsert .US (if they care)). 

End result: multiple name spaces determined by resolver operators.

Your proposed solution: some number of root server operators refuse to accept the change and resign the old zone with .US still in it, while presumably others (e.g., the ones operated by the USG or their direct contractors) accept the change and sign the .US-less zone.  Remedy: resolver operators modify their hints to use only the root servers they think are doing the right thing.

End result: multiple name spaces determined by resolver operators.

What problem are you trying to solve again?

Regards,
-drc




More information about the dns-operations mailing list