[dns-operations] DNSSEC undoing independence of root-zone operators

Ben Scott mailvortex at gmail.com
Wed Feb 16 02:12:09 UTC 2011


On Tue, Feb 15, 2011 at 7:54 PM, Phil Pennock <dnsop+phil at spodhuis.org> wrote:
> ... some
> number of root server operators refuse to accept the change, but can't
> re-sign the old zone because they lack the keys.  They can stop
> publishing DNSSEC records and lead to resolver failures because of the
> lack of a graceful transiation, or they can sign with new keys which
> will be rejected by the resolvers as bogus, as DNSSEC does what it's
> designed to do.

  Seems to me you're just moving the problem around.

  Right now, there's one key that's used for the entire root zone.  If
a root server operator disagrees with the zone that is published and
signed, the root server operator has to create a new zone, create a
new key, and convince others to accept them (disregarding the others).

  Your proposal is every root server operator gets their own key.  If
a root server operator disagrees with the zone that is published and
signed by others, the root server operator has to create a new zone
and convince others to accept it (disregarding the others).

  In both cases, the rest of the community has to choose the root
server(s) one wishes to use, and we have multiple competing
namespaces.

  Am I missing something?

  "Any problem can be solved by adding another layer of indirection."
(Google for attribution)

-- Ben



More information about the dns-operations mailing list