[dns-operations] cool idea regarding root zone inviolability

Edward Lewis edward.lewis at icann.org
Fri Nov 28 00:10:46 UTC 2014


Not meant to rain on the parade (but this sounds like it) - early on In the
development of DNSSEC we spent a bit of time on SIG(AXFR) which is exactly
what you described.

We toyed with it and discarded it.  I forget why (which makes this a “rain
on the parade” email) but for a long time afterwards we had series of jokes
that ended with “that idea is as bad as SIG(AXFR).”

We being the folks in the lab in the 90’s.

…Perhaps it was an estimation of the workload involved on the servers (to do
all the nasty crypto), complications from incremental updates (which were
new then).  We also wrote servers to verify all records upon (authoritative)
load and that was discarded because it took forever to start the server –
probably related.

Maybe someone else on the list recalls why SIG(AXFR) was killed off.

On 11/27/14, 16:11, "Warren Kumari" <warren at kumari.net> wrote:

> ... and Mark Andrews, Paul Hofmann, Paul Wouters, myself and a few others (who
> I embarrassing enough have forgotten) are planning on writing a "zone
> signature" draft (I have an initial version in an edit buffet). The 50,000
> meter view is: 
> Sort all the records in canonical order (including glue)
> Cryptographicly sign this
> Stuff the signature in a record
> 
> This allows you to verify that you have the full and complete zone (.de...)
> and that it didn't get corrupted in transfer.
> This solves a different, but related issue.
> 
> Hope to finally get off my butt and post -00 soon.
> 
> W
> 
> On Thursday, November 27, 2014, Richard Lamb <richard.lamb at icann.org> wrote:
>> Having worked on solas at Intl maritime org, I agree with David.  There are
>> many parallels to that space and domain name space.  We should learn from
>> that experience.
>> 
>> Rick
>> 
>> 
>> Sent from my iPhone
>> 
>>> > On Nov 27, 2014, at 11:19, David Conrad <drc at virtualized.org
>>> <javascript:;> > wrote:
>>> >
>>> > Patrik,
>>> >
>>>> >> On Nov 26, 2014, at 10:40 PM, Patrik Fältström <paf at frobbit.se
>>>> <javascript:;> > wrote:
>>>> >> FWIW, I have been working on this for a while with the Diplo foundation,
>>>> and I am happy to answer questions (and of course listen to concerns).
>>> >
>>> > It is an interesting idea, but I don't get how it would work.  I asked
>>> Jovan back when he initially proposed it, but never heard back.
>>> >
>>> > Is the theory behind this that governments around the world would enter
>>> into some sort of treaty or some other formally binding vehicle that would
>>> make the root zone inviolable? What would be the sanctions should the holder
>>> of the root zone (whoever it might be) ignore the inviolability of the root
>>> zone and how would they be enforced? How is that going to work given (e.g.)
>>> the US hasn't even been able to ratify the Treaty of the Sea and internal
>>> domestic politics will generally override any international agreement at
>>> politicians' whim?
>>> >
>>> > Regards,
>>> > -drc
>>> >
>>> > _______________________________________________
>>> > dns-operations mailing list
>>> > dns-operations at lists.dns-oarc.net <javascript:;>
>>> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>> > dns-jobs mailing list
>>> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>> 
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net <javascript:;>
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs <https://lists.dns-oarc.net/mailman/listinfo/dns-operationsdns-jobs>
>> mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> 
> -- 
> I don't think the execution is relevant when it was obviously a bad idea in
> the first place.
> This is like putting rabid weasels in your pants, and later expressing regret
> at having chosen those particular rabid weasels and that pair of pants.
>    ---maf


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141128/8649f9d1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4604 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20141128/8649f9d1/attachment.bin>


More information about the dns-operations mailing list