Re: [DNSOP] Should root-servers.net be signed

Chris Thompson <cet1@cam.ac.uk> Mon, 08 March 2010 00:09 UTC

Return-Path: <cet1@hermes.cam.ac.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 69BE23A67D7 for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 16:09:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uz4Nyo7Xetdl for <dnsop@core3.amsl.com>; Sun, 7 Mar 2010 16:09:25 -0800 (PST)
Received: from ppsw-0.csi.cam.ac.uk (ppsw-0.csi.cam.ac.uk [131.111.8.130]) by core3.amsl.com (Postfix) with ESMTP id 8620D3A67E1 for <dnsop@ietf.org>; Sun, 7 Mar 2010 16:09:25 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:45277) by ppsw-0.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.150]:25) with esmtpa (EXTERNAL:cet1) id 1NoQXI-00056w-1E (Exim 4.70) (return-path <cet1@hermes.cam.ac.uk>); Mon, 08 Mar 2010 00:09:28 +0000
Received: from prayer by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local (PRAYER:cet1) id 1NoQXI-0003Ut-Bt (Exim 4.67) (return-path <cet1@hermes.cam.ac.uk>); Mon, 08 Mar 2010 00:09:28 +0000
Received: from [131.111.11.47] by webmail.hermes.cam.ac.uk with HTTP (Prayer-1.3.2); 08 Mar 2010 00:09:28 +0000
Date: Mon, 08 Mar 2010 00:09:28 +0000
From: Chris Thompson <cet1@cam.ac.uk>
To: George Barwood <george.barwood@blueyonder.co.uk>
Message-ID: <Prayer.1.3.2.1003080009280.18632@hermes-2.csi.cam.ac.uk>
In-Reply-To: <F7C1873BC5BD40988CEC30A6BC67CDDF@localhost>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <A76BB63E-F13B-4D90-BABB-89EB06C8E5F0@rfc1035.com> <4B93A046.4020209@necom830.hpcl.titech.ac.jp> <B98D66FF-E4EB-47BE-8302-D4C6D3E70238@icsi.berkeley.edu> <F7C1873BC5BD40988CEC30A6BC67CDDF@localhost>
X-Mailer: Prayer v1.3.2
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="ISO-8859-1"
Sender: Chris Thompson <cet1@hermes.cam.ac.uk>
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: cet1@cam.ac.uk
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 00:09:26 -0000

On Mar 7 2010, George Barwood wrote:

>The dependency on .net for the root name servers seems strange to me.
>
>Intuitively, I should not have to trust .net to get a validated set
>of root name servers.
>
>The names of the root name servers are somewhat arbitrary, and since
>they are very integral to the root zone, it would seem more straight-
<forward to not put them into a public registry TLD, but rather to use
>a special TLD ( e.g. "root-servers" or possibly a sub-domain of ARPA ).
>I don't see any reason to use a sub-zone, the records may as well go
>in the root I think ( allows a secure resolver to start up slightly
>faster ).

I have a lot of sympathy with that PoV.

It's notable that draft-jabley-reverse-servers intends to put
nameservers for the "arpa" sub-domains in matching sub-domains 
of "arpa" (but still seems to mandate more zone cuts than seem 
advisable to me).

>I note that .se does sign it's name servers.

And indeed ns.se is in the se zone (no zone cut). But the consequence
is that a DO=1 "priming" query for "se" returns 2706 bytes while one for
"." from the (DURZ-signed) root servers returns only 801 bytes.

-- 
Chris Thompson               University of Cambridge Computing Service,
Email: cet1@ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.