[dns-operations] DNSSEC undoing independence of root-zone operators

Andrew Sullivan ajs at shinkuro.com
Tue Feb 15 23:10:05 UTC 2011

On Tue, Feb 15, 2011 at 05:45:08PM -0500, Phil Pennock wrote:

> preserves the unexercised ability for root server operators to split
> that they have now.  It's deliberately designed so that there is no
> change.  DNSSEC doesn't add this ability.  DNSSEC with only a single set
> of keys used to sign the root does take it away.

Reluctant as I am to add superstructure to the bridge where this whole
idea ought to live, it seems to me that DNSSEC doesn't do what you say
it does.

Suppose some root server operators wanted break away.  Prior to
DNSSEC, they had to get others to accept their alternate root.hints
file and use it, or else somehow inject poison such that people
started using their alternative answers.

Today, now that everything is signed, what they have to do is get
people also to accept their alternate trust anchor.  DNSSEC will work
as long as there is a valid signature chained from at least one
configured trust anchor.  So if people accept the alternate-root-TA,
then signed responses from those alternate root people will also work.

I don't actually advocate any of this, please note.  I think it would
be a bad idea.  But the nuclear option doesn't go away just because we
have shiny new missiles instead of airplanes.


Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the dns-operations mailing list