On 01/14/2014 12:08 PM, Andrew Sullivan wrote:
Good point. I think the idea is that this is a feature, because it's supposed to be the Mutually-Assured Destruction threat that will prevent the USG from unilaterally removing some country from the root zone (that seems to be the threat people are worried about.
It historically has been the main threat that several countries are worried about, however DNSSEC doesn't do anything to stop it. Other than the DS records (if any) the records associated with a given TLD (specifically the NS records) in the root are not signed.
Of course as DNSSEC becomes more important removal of the DS records will become correspondingly more important, but that's not the threat that these people care about.
Doug _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
