On 2010-03-07, at 03:06, George Barwood wrote: > I have been wondering about this.
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be paraphrased as follows: - if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over the A and AAAA RRSets) which is a potential disadvantage - if we do not sign ROOT-SERVERS.NET there is a threat that the unsigned A and AAAA RRSets from ROOT-SERVERS.NET might be spoofed somehow and that the spoofing will be undetected - however, since the root zone is signed, validators can already tell when they are talking to a root server that serves bogus information - signing ROOT-SERVERS.NET would result in potentially-harmful large responses with no increase in security - let's not do that then I also find Jim's point regarding NET rather compelling. If the NET zone is not signed, then validating responses from a signed ROOT-SERVERS.NET zone would require yet another trust anchor to be manually-configured. It's hard for me to agree that the aggregate operational complexity involved in those manual trust anchors, and the potential effects of a KSK-roll without synchronised updating of that static configuration, represents a smaller risk than leaving the zone unsigned, at least for now. If this logic is faulty then I'd love to hear about it. Joe [*] I say "our", but really I mean my personal recollection of conversations with other members of the root-signing design team some time ago, which I haven't cross-checked with anybody before hitting send. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
