[dns-operations] DNSSEC undoing independence of root-zone operators

David Conrad drc at virtualized.org
Wed Feb 16 02:16:27 UTC 2011

On Feb 15, 2011, at 4:54 PM, Phil Pennock wrote:
> Thank you: that's what I wanted, a no-op change between the previous solution and the DNSSEC world.

I think you missed my point.

In _all_ scenarios, including yours where root server operators edit and sign the root zone, the end result is the same:  resolver operators must modify their root hints and/or trusted keys to choose which name space they want to believe in. All your proposal does is add to the number of folks who can partition the name space without validators failing.  This solves no useful problem I can identify.

If the Illuminati or the Unified World Governments (or the USG) decided to force an inappropriate change into the root, there would be an instant political "discussion" that would result in resolver operators being forced to choose which namespace they want to use, regardless of whether the root zone is signed or by whom.

Contrary to what you appear to believe, the root server operators are not and never have been the Root Zone Police.  Trying to put them into that roll is a waste of time.  There are (arguably) useful additional checks and balances that could be imposed into the root zone management process (at the cost of additional complexity and latency for changes) irrespective of DNSSEC, however attempting to push those checks and balances onto the secondary server operators is just broken: it ain't their job.


P.S. You might want to look again at how the root trust anchor is managed by resolvers.

More information about the dns-operations mailing list