[dns-operations] New addresses for b.root-servers.net

[Doug Barton]

On 6/3/23 11:03 AM, Dave Knight wrote:
> 
> 
>> On Jun 3, 2023, at 1:22 AM, Doug Barton <dougb at dougbarton.us> wrote:
>>
>> On 6/2/23 11:12 AM, Dave Knight wrote:
>> Regarding your assertion that you can validate the priming query with DNSSEC,
> 
> I suggested that we validate the priming response, we don't validate queries with DNSSEC.


You are correct, I was imprecise with my language there. Hopefully my 
meaning was well taken.

>> all you can validate is the NS set. The host records cannot be validated because root-servers.net is not signed.
> 
> Good point!
> 
> They're still used to replace what was provided in the root.hints after the priming response is received though.

Right, but that's not relevant to your assertion that we don't need OOB 
validation because we can validate the priming query with DNSSEC.


1. The priming query uses root hints, whether it's a file or compiled in
2. The signature in the root zone only covers the host names for the 
root delegation, which are incredibly unlikely to ever change
3. The host records for the root servers cannot be validated with DNSSEC

Since the host records are the interesting bit, we do absolutely need to 
make sure that we can sanity check them somehow. I'm not sure Chris' 
suggestion to essentially "vote" on which host records are the right 
ones based on the results returned from polling all the known addresses 
is the right solution.

Personally I would love to see the political drama around signing 
root-servers.net go away and have that zone signed already.

Doug