On Mon, 8 Mar 2010, Joe Abley wrote:
Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be
paraphrased as follows:
- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over
the A and AAAA RRSets) which is a potential disadvantage
Is it? Is DNSSEC that bad then? Why did we design it that way?
- however, since the root zone is signed, validators can already tell when they
are talking to a root server that serves bogus information
How does that work without ROOT-SERVERS.NET being signed with a known trust
anchor?
How does my validating laptop know that the curent wifi is not spoofing
a.ROOT-SERVERS.NET to some local IP?
- signing ROOT-SERVERS.NET would result in potentially-harmful large responses
with no increase in security
If it is harmful, we should abandon DNSSEC?
I also find Jim's point regarding NET rather compelling. If the NET zone is not
signed, then validating responses from a signed ROOT-SERVERS.NET zone would
require yet another trust anchor to be manually-configured.
It's hard for me to agree that the aggregate operational complexity involved in
those manual trust anchors, and the potential effects of a KSK-roll without
synchronised updating of that static configuration, represents a smaller risk
than leaving the zone unsigned, at least for now.
If this logic is faulty then I'd love to hear about it.
I agree about the trust anchor issue. Not so much with some of the statements
above it.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
