Re: [DNSOP] Should be signed

Chris Thompson <> Mon, 08 March 2010 00:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 69BE23A67D7 for <>; Sun, 7 Mar 2010 16:09:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Uz4Nyo7Xetdl for <>; Sun, 7 Mar 2010 16:09:25 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 8620D3A67E1 for <>; Sun, 7 Mar 2010 16:09:25 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
Received: from ([]:45277) by ( []:25) with esmtpa (EXTERNAL:cet1) id 1NoQXI-00056w-1E (Exim 4.70) (return-path <>); Mon, 08 Mar 2010 00:09:28 +0000
Received: from prayer by ( with local (PRAYER:cet1) id 1NoQXI-0003Ut-Bt (Exim 4.67) (return-path <>); Mon, 08 Mar 2010 00:09:28 +0000
Received: from [] by with HTTP (Prayer-1.3.2); 08 Mar 2010 00:09:28 +0000
Date: Mon, 08 Mar 2010 00:09:28 +0000
From: Chris Thompson <>
To: George Barwood <>
Message-ID: <>
In-Reply-To: <F7C1873BC5BD40988CEC30A6BC67CDDF@localhost>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <> <> <> <F7C1873BC5BD40988CEC30A6BC67CDDF@localhost>
X-Mailer: Prayer v1.3.2
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="ISO-8859-1"
Sender: Chris Thompson <>
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Mar 2010 00:09:26 -0000

On Mar 7 2010, George Barwood wrote:

>The dependency on .net for the root name servers seems strange to me.
>Intuitively, I should not have to trust .net to get a validated set
>of root name servers.
>The names of the root name servers are somewhat arbitrary, and since
>they are very integral to the root zone, it would seem more straight-
<forward to not put them into a public registry TLD, but rather to use
>a special TLD ( e.g. "root-servers" or possibly a sub-domain of ARPA ).
>I don't see any reason to use a sub-zone, the records may as well go
>in the root I think ( allows a secure resolver to start up slightly
>faster ).

I have a lot of sympathy with that PoV.

It's notable that draft-jabley-reverse-servers intends to put
nameservers for the "arpa" sub-domains in matching sub-domains 
of "arpa" (but still seems to mandate more zone cuts than seem 
advisable to me).

>I note that .se does sign it's name servers.

And indeed is in the se zone (no zone cut). But the consequence
is that a DO=1 "priming" query for "se" returns 2706 bytes while one for
"." from the (DURZ-signed) root servers returns only 801 bytes.

Chris Thompson               University of Cambridge Computing Service,
Email:    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.