[dns-operations] DNSSEC undoing independence of root-zone operators

Olaf Kolkman olaf at NLnetLabs.nl
Wed Feb 16 13:21:54 UTC 2011

On Feb 15, 2011, at 10:02 PM, Phil Pennock wrote:

> Folks,
> TL;DR: DNSSEC as currently deployed undermines the independence of the
> DNS root-zone operators.  If each root-zone operator independently signs
> and the resolvers maintain a *set* of concurrent equivalent signing
> keys, we restore the independence which Postel put in place.
> Blog post:
>  http://bridge.grumpy-troll.org/2011/02/dns-root-zone-international-governance.html
> (no ads, I make no money by pimping this)

I do not agree with your analysis. The control points are not with the root-server operators but with the 'end-users' (in this case the recursive nameserver operators)

By configuring the root-zone servers (as hints) a recursive nameserver operator now puts trust in a set of operators to provide a well defined and stable namespace. Any instability or unproductive behavior would cause the recursive nameserver operators to loose trust in the configured set of nameservers and their operators and run to an alternative set of operators (possibly serving another namespace).

In other words recursive nameserver operators configure (put their trust in) a namespace by configuring a blob of data. The addition of a root key to the blob of data does not change that model.

If recursive nameserver operators do not trust the global system they can use local configuration to overrule whatever violates their trust. It would be a bad day for the Internet if that would ever need to happen.

In other words the checks and balances are between the client and the server, DNSSEC doesn't change that.

Also, in your proposal a recursive nameserver operator would have to make important local policy decisions: What to do if one of the nameserver hands out different data? Use an N out of M selection method? Use more trust in operators from your region?. Those sort of choices only need to be made in times of crisis, when the trust in the root-serving system is violated.

If you really want a local fallback in times of crisis you can pull the root-zone, strip the sigs, sign and serve yourself and let your recursive name server point at them. Such you would do on a trade-off in risk, costs and stability.




Olaf M. Kolkman                        NLnet Labs
                                       Science Park 140, 
http://www.nlnetlabs.nl/               1098 XG Amsterdam

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2210 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20110216/f63ff7ff/attachment.bin>

More information about the dns-operations mailing list