[dns-operations] Domain Name System without Root Servers
Paul Vixie
paul at redbarn.org
Tue Oct 3 14:39:57 UTC 2017
Daniel Karrenberg wrote:
>
> On 03/10/2017 00:01, Stephane Bortzmeyer wrote:
>> On Mon, Oct 02, 2017 at 06:32:09PM -0700,
>> Daniel Karrenberg<dfk at ripe.net> wrote
> ...
>>> As this paper shows nicely lameness will be very limited even if a
>>> resolver operator chooses to do this only every couple of weeks. No
>>> protocol changes needed. No IETF politics and over-engineering. No
>>> special action by TLD operators. No ICANN process required.
>> One important thing about the paper I mentioned is that, if
>> implemented, it would introduce a shift in root governance: from ICANN
>> to resolvers authors/packagers (because they would distribute a
>> compilation of NS and DS records in the software).
>
> Only if resolvers use root zone content without validating signatures
> against the ICANN trust anchor(s).
indeed, that is how the yeti-dns project does it. import from iana,
validate using the icann trust anchor, then generate our own zone. i
think that as long as a redistributor is only accepting icann-signed
information about the root namespace, then it doesn't matter how that
information is signed and verified downstream.
there is always a concern of namespace modification or amendment, and so
any resolver implementer who includes an internal copy of root zone
meta-data, ought to publish a public statement as whether they do, or
would ever do, this.
--
P Vixie
More information about the dns-operations
mailing list