On 2010-03-08, at 10:27, Paul Wouters wrote: > On Mon, 8 Mar 2010, Joe Abley wrote: > >> Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think >> be paraphrased as follows: >> >> - if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs >> over the A and AAAA RRSets) which is a potential disadvantage > > Is it? Is DNSSEC that bad then? Why did we design it that way?
Practice with ORG and SE and CZ and other TLDs suggests that the harm is marginal. However, there's an argument that root servers have to worry about the effect of priming queries on a different client base, and hence perhaps some care is warranted. Note that I said "potential disadvantage". I make no prediction as to whether there winds up being any discernible harm. >> - however, since the root zone is signed, validators can already tell when >> they are talking to a root server that serves bogus information > > How does that work without ROOT-SERVERS.NET being signed with a known trust > anchor? Because validators are equipped with a trust anchor for the root zone's KSK. An unsigned ROOT-SERVERS.NET might leave validators talking to a bogus root server, but they won't believe any of the signed replies they get from it. > How does my validating laptop know that the curent wifi is not spoofing > a.ROOT-SERVERS.NET to some local IP? I would suggest that your validating laptop doesn't care. The only reason people care about root servers is so that they can be pointed to servers which have the answers they want. End users don't typically seek answers which can be found solely in the ROOT-SERVERS.NET zone). Joe _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop