[DNSOP] Should root-servers.net be signed

"George Barwood" <george.barwood@blueyonder.co.uk> Sun, 07 March 2010 08:06 UTC

Return-Path: <george.barwood@blueyonder.co.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 69DA13A912D for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 00:06:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.566
X-Spam-Level: **
X-Spam-Status: No, score=2.566 tagged_above=-999 required=5 tests=[AWL=1.164, BAYES_50=0.001, HELO_EQ_BLUEYON=1.4, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id Tu1jse7CVbZb for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 00:06:43 -0800 (PST)
Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk []) by core3.amsl.com (Postfix) with ESMTP id D3D193A8EEF for <dnsop@ietf.org>; Sun, 7 Mar 2010 00:06:30 -0800 (PST)
Received: from [] (helo=anti-virus03-09) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1NoBVP-00074W-MJ for dnsop@ietf.org; Sun, 07 Mar 2010 08:06:31 +0000
Received: from [] (helo=GeorgeLaptop) by asmtp-out5.blueyonder.co.uk with esmtpa (Exim 4.52) id 1NoBVO-0006UH-Vk for dnsop@ietf.org; Sun, 07 Mar 2010 08:06:31 +0000
Message-ID: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
From: George Barwood <george.barwood@blueyonder.co.uk>
To: dnsop@ietf.org
Date: Sun, 07 Mar 2010 08:06:20 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_04F8_01CABDCD.1263DBC0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
Subject: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 08:06:46 -0000

I have been wondering about this.

For a resolver behind a NAT firewall that removes port randomization,
it is possible for an attacker to spoof the priming query ( only 16 bits of
ID protection ).

If root-servers.net is unsigned, it's not possible for the resolver to validate
the set of root IP addresses, meaning that

(a) An attacker can control every unsigned zone.

(b) An attacker can monitor every request to a signed zone ( no privacy ).

(c) An attacker can deny service to any zone, on a selective basis.

Apparently there are currently no plans to sign root-servers.net

The main argument against seems to be that the priming query
response size (with DO=1) would be greatly increased.

Any thoughts?