[dns-operations] Domain Name System without Root Servers

Paul Vixie paul at redbarn.org
Tue Oct 3 14:39:57 UTC 2017

Daniel Karrenberg wrote:
> On 03/10/2017 00:01, Stephane Bortzmeyer wrote:
>> On Mon, Oct 02, 2017 at 06:32:09PM -0700,
>>   Daniel Karrenberg<dfk at ripe.net>  wrote
> ...
>>> As this paper shows nicely lameness will be very limited even if a
>>> resolver operator chooses to do this only every couple of weeks. No
>>> protocol changes needed. No IETF politics and over-engineering. No
>>> special action by TLD operators. No ICANN process required.
>> One important thing about the paper I mentioned is that, if
>> implemented, it would introduce a shift in root governance: from ICANN
>> to resolvers authors/packagers (because they would distribute a
>> compilation of NS and DS records in the software).
> Only if resolvers use root zone content without validating signatures
> against the ICANN trust anchor(s).

indeed, that is how the yeti-dns project does it. import from iana, 
validate using the icann trust anchor, then generate our own zone. i 
think that as long as a redistributor is only accepting icann-signed 
information about the root namespace, then it doesn't matter how that 
information is signed and verified downstream.

there is always a concern of namespace modification or amendment, and so 
any resolver implementer who includes an internal copy of root zone 
meta-data, ought to publish a public statement as whether they do, or 
would ever do, this.

P Vixie

More information about the dns-operations mailing list