On 8 jul 2014, at 02:55, David Conrad <[email protected]> wrote: > The main argument against slaving the root I've seen appears to me to be FUD: > "people running resolvers are too stupid to configure slaving the root > correctly so root data will go stale!" (paraphrased).
I am a bit disappointed that you David do summarize the arguments against this
proposal in this way. Several various weaknesses of the proposal have been
explained at several occasions (although of course also them with a bit of hand
waving), and they are definitely not "fud" and definitely not limited to people
making mistakes.
What I have recommended Warren to do is to properly list the arguments, make a
proper analysis (an attack tree would be one good start) because my largest
fear is that the various issues that might look like weaknesses of the proposal
must be analyzed, and that they are not.
I have at least heard:
- Recovery process when bad data end up in the resolver (cache v.s. auth)
- Routing issues (which is what I see the largest burden of a root server
operator)
- Lack of DNSSEC validation
- The fact not all data in the root zone is signed
- Political/regulative implications (to ensure a different TA is used than
ICANN)
- Lack of legal protection of the root zone itself
...and possibly more.
...and of course a combination of these.
Once again, this is such a large issue that I would prefer a bit better
arguments than what is demonstrated here.
Yes, I know you wrote in affection, but let this remind all of us that we can
do better.
Ok?
Patrik
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
