Hi Matthew,
Signing the ROOT-SERVERS.NET zone would provide the ability to validate its
contents, but since it's rare for applications and end users to ask questions
that are answerable from that zone the benefit is arguably marginal. The
ability to follow a chain or trust through keys published in the root, COM and
CLOUDFLARE.COM allows names in that zone to be validated completely without a
secure delegation to the ROOT-SERVERS.NET zone, for example.
There would also be some amount operational complexity in managing the signing
function, and new failure modes of the ability to validate the contents of that
zone depended on a clean path of trust through the root and NET zones. These
are probably minor or manageable.
I think the most compelling argument against signing that zone is that many
priming queries are sent with DO=1, and a priming response that included
signatures would be significantly larger than it is without, and would require
either fragmentation or a non-UDP transport to deliver. This would be a
significant change to a population of DNS clients whose practical constraints
regarding DNS message delivery are not well-understood.
So, it's difficult to identify a clear benefit and the risks, although quite
possibly small, have the potential to be significant.
Joe
>
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
