[dns-operations] DNSSEC undoing independence of root-zone
jgreco at ns.sol.net
Wed Feb 16 01:39:31 UTC 2011
> On 2011-02-15 at 18:10 -0500, Andrew Sullivan wrote:
> > Suppose some root server operators wanted break away. Prior to
> > DNSSEC, they had to get others to accept their alternate root.hints
> > file and use it, or else somehow inject poison such that people
> > started using their alternative answers.
> No, prior to DNSSEC they just continued publishing a complete root zone
> (as regards delegations, not as regards NS records for the root) on
> their existing IP address and resolver operators get to choose whether
> or not to drop the censored root servers from their start-up hints file,
> to ensure they can consistently lock onto the uncensored set.
> > Today, now that everything is signed, what they have to do is get
> > people also to accept their alternate trust anchor. DNSSEC will work
> > as long as there is a valid signature chained from at least one
> > configured trust anchor. So if people accept the alternate-root-TA,
> > then signed responses from those alternate root people will also work.
> And my proposal is that the alternate trust anchors all exist in
> parallel, signing the same content (excepting DNSKEY on .) and client
> tools which currently fetch the one DNSSEC signing key instead fetch one
> per root server IP address.
> In the event of a split, the server operators continue on the same IP,
> as before, using the same key they were already using, strip out the
> censored NS, as before, and the only action needed by the resolver
> operators is to remove the IP addresses of the censored servers, as
> Sorting out a new trust anchor is a significant barrier, especially
> since a large percentage of private resolver operators don't really
> understand even DNS.
> My intent is to preserve the pre-DNSSEC status quo of independence,
> including the pre-DNSSEC status of just accepting the one zonefile as
> being the sanest solution, barring very good cause not to.
This is pointless and, as far as I can tell, detrimental.
One of the most important features of DNS is supposed to be consistency
(coherence, anybody?). We don't really need root server operators who
decide that there is a compelling reason to break that property. This
just inflicts (what appears to be) random brokenness on end users.
If and when IANA does something that someone on down the chain finds to
be objectionable, the ideal solution is for _that_ party to make changes
as needed. For example, if I felt that there was a compelling reason
to stop serving names for .XYZZY, I can make those changes on our
recursers, and all our clients will reliably stop resolving it. If I
want to delegate .XYZZY over to someone, I can do that too, and it'll
If, however, Paul Vixie decides that F-root is going to serve up .XYZZY
pointed to that delegated someone, then suddenly it might work for some
people on the Internet but not for others; who it works for and when is
largely a matter of chance, which is ridiculous.
If you don't trust IANA, the correct solution is an alternate root
server network. ORSN was tried and failed, but there's no particular
reason something like that couldn't be done again.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the dns-operations