[dns-operations] DNSSEC undoing independence of root-zone operators

Suzanne Woolf woolf at isc.org
Wed Feb 16 03:43:15 UTC 2011

On Tue, Feb 15, 2011 at 06:16:27PM -0800, David Conrad wrote:
> Contrary to what you appear to believe, the root server operators
> are not and never have been the Root Zone Police.  Trying to put
> them into that roll is a waste of time.  There are (arguably) useful
> additional checks and balances that could be imposed into the root
> zone management process (at the cost of additional complexity and
> latency for changes) irrespective of DNSSEC, however attempting to
> push those checks and balances onto the secondary server operators
> is just broken: it ain't their job.

This is exactly, completely right.

I've got a lot of opinions about how the root zone ought to be
managed, which I express in various ways in various places.

But after a dozen years with varying levels of responsibility for root
server operations, from day-to-day wrangling of servers to my current
almost-entirely-policy roles, I don't think it would be a good idea
for any root server operator to express such opinions in the form of
altering data or configuration of a root server. Nor do I regard the
ability to do so as one worth adding additional complexity and
potential failures to the system to preserve.

This does in fact mean that IANA (or whatever authority your root
has-- there's got to be one if you want a consistent and/or coherent
namespace) represents a single point of failure in some sense. Like it
or not, that's how DNS was designed: a zone has one place,
conceptually if not operationally, that's canonical for its
contents. (Services like Akamai's or ultra's make this fuzzy but the
concept is still there; there's a zone authority that's clearly
responsible for managing whatever inconsistency may be involved.)

One of the things to like about DNSSEC is that it means you no longer
have to trust the server to trust the answer it gave you. This is
because of the underlying notion that there's a source of the data,
separate from any particular server that can offer it to you, that
defines what ought to be there. The complementary idea-- that you want
to trust the server but not the original zone authority as source of
the data-- is meaningless in the DNS. It always was; DNSSEC just makes
it obvious.


More information about the dns-operations mailing list