[dns-operations] DNSSEC undoing independence of root-zone operators

Tony Finch dot at dotat.at
Wed Feb 16 17:05:12 UTC 2011

I know Phil personally so I hope he won't mind me saying that I think he
has been spending too much time listening to crazy libertarians and

On Tue, 15 Feb 2011, David Conrad wrote:
> P.S. You might want to look again at how the root trust anchor is
> managed by resolvers.

One of the things that concerns me is the brittleness of the current
arrangements. I wrote up a proposal for how to fix this a couple of weeks
ago: http://www.ietf.org/mail-archive/web/dnsext/current/msg10538.html

I must admit that the structure I have in mind for the root key witnesses
is similar to the root server operators. Unlike Phil who wants to make it
easy for them to splinter, my aim is to establish consensus between the
witnesses and cryptographically prove it to a bootstrapping validator.

Analogy with apologies to Aesop: The current setup hangs everything of a
single solid trunk, but it's a crack willow and will make an almighty mess
if it fails or needs replacing. Phil proposes a set of individual twigs. I
propose a resilient bundle of twigs.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
West FitzRoy: Northwesterly gale 8 to storm 10, backing westerly 4 or 5. High
or very high. Squally showers. Good, occasionally poor.

More information about the dns-operations mailing list