[dns-operations] DNSSEC undoing independence of root-zone operators
ajs at shinkuro.com
Wed Feb 16 16:00:09 UTC 2011
On Tue, Feb 15, 2011 at 08:01:45PM -0500, Phil Pennock wrote:
> On 2011-02-15 at 18:10 -0500, Andrew Sullivan wrote:
> > Suppose some root server operators wanted break away. Prior to
> > DNSSEC, they had to get others to accept their alternate root.hints
> > file and use it, or else somehow inject poison such that people
> > started using their alternative answers.
> No, prior to DNSSEC they just continued publishing a complete root zone
> (as regards delegations, not as regards NS records for the root) on
> their existing IP address and resolver operators get to choose whether
> or not to drop the censored root servers from their start-up hints file,
> to ensure they can consistently lock onto the uncensored set.
What exactly is the difference, sub specie aeternitatis, between "get
others to accept their alternate root.hints file and use it" and
"resolver operators get to choose whether or not to drop the censored
root servers from their start-up hints file"? All you're doing is
moving around the voice in which the proposition is expressed.
The point is that the choice here remains one on the resolution side.
> Sorting out a new trust anchor is a significant barrier, especially
> since a large percentage of private resolver operators don't really
> understand even DNS.
Aha. So what you're saying is not that the independence you impute to
the root server operators is now _impossible_, but that it is
_harder_. People need to learn stuff in order to make an informed
choice. Yep, that's harder. I regard that as a feature, not a bug.
What you appear to be arguing is that it needs to be easy for some
new, Illuminati- and Templar-fighting cabal to come together and start
publishing some non-IANA root zone, simply feeding this "uncensored"
root zone to the plebian masses who don't know any better. If I put
aside my initial reaction (which is that you should stop reading so
much Dan Brown), I am left with the question of why you think it would
be better to have some _sub rosa_ self-appointed committee make this
decision than it would be to have a giant, public, international
scandal that forces such things to be worked out in public.
ajs at shinkuro.com
More information about the dns-operations