[dns-operations] New addresses for b.root-servers.net

[Joe Abley]

Hi Matthew,

Signing the ROOT-SERVERS.NET zone would provide the ability to validate its contents, but since it's rare for applications and end users to ask questions that are answerable from that zone the benefit is arguably marginal. The ability to follow a chain or trust through keys published in the root, COM and CLOUDFLARE.COM allows names in that zone to be validated completely without a secure delegation to the ROOT-SERVERS.NET zone, for example.

There would also be some amount operational complexity in managing the signing function, and new failure modes of the ability to validate the contents of that zone depended on a clean path of trust through the root and NET zones. These are probably minor or manageable.

I think the most compelling argument against signing that zone is that many priming queries are sent with DO=1, and a priming response that included signatures would be significantly larger than it is without, and would require either fragmentation or a non-UDP transport to deliver. This would be a significant change to a population of DNS clients whose practical constraints regarding DNS message delivery are not well-understood.

So, it's difficult to identify a clear benefit and the risks, although quite possibly small, have the potential to be significant.

Joe

>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230604/c60de254/attachment.html>