[DNSOP] Re: [Ext] To sign root-servers.net or not?

Geoff Huston <gih@apnic.net> Mon, 17 June 2024 23:04 UTC

Return-Path: <gih@apnic.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAFF6C151710 for <dnsop@ietfa.amsl.com>; Mon, 17 Jun 2024 16:04:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=apnic.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KKN_GwEVvNcQ for <dnsop@ietfa.amsl.com>; Mon, 17 Jun 2024 16:04:16 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01on2174.outbound.protection.outlook.com [40.107.108.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27001C151076 for <dnsop@ietf.org>; Mon, 17 Jun 2024 16:04:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LxQfsTZrOMbHGu0Fwjt2vrk7vwQ38ITt3uevecy9mAwI7BkdSHDPYfUGUFSiTWnIrn/MfTAkoGx1D9XZKaPqtBAdboMH6EF0ELhPBnqr/fK9StwZlSSt5p8IFWNgGycAjauisoUh2qCqt0poQv+jOC0Kr2TOXTtB6xWjoqMHTAvjjdzxn9zHWRU0nI0ysxBVFLEKOS1byRHJFaBNQLfJMHkUvRJ7QgErNrlNmDq+d5w92HyGe6X/6fbsErquevXhgvPejjt0/24F8F9ie9qp07BuU+tssUMh8kzIIeTNnvgi73OyTIF+n9edXvRxnW4B9ZYDOdpo6MtbpvIoGTiIfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YFec/SNPuoQDtKWd09xljf4JxF+pvFy47CdN3+bUSFI=; b=fuVWdWysYdjhGy0SekVCyXhErGiz0vHXFRlH4juGdWbsYoIZFf5XLUC5MsjqNUpfzYfFCRCdxoryWtmfCrfAUUYX8yQds71P7pdnETIgE/ZOFzhqB2kzphUK2x1qCBqk8tpDT1BcExqObhHC8BTXO/dL2Eakc97Ljwql/P3Z/v/ESvGU993bGdqnalQJjyn5OOdNNlxlWt28zss6aOip5KJrp4zYf1NzdGfHgD3kU1GZxU8PaQNmSfyParNNm2S+BPYCX9/Pwb61mn7QGuBToUj7Skh2YUK9/Bj6EJgi1S0UmpVLYCw453lGfDGL3Rc8Q874NCjePfgHeA1E5N7kXg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=apnic.net; dmarc=pass action=none header.from=apnic.net; dkim=pass header.d=apnic.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=apnic.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YFec/SNPuoQDtKWd09xljf4JxF+pvFy47CdN3+bUSFI=; b=fZBvI5yewNThQyDyrz+bNwse9ehIw/yqNiE5AukwQ9psiVM/z3bh267SeZ1mF40AKG8M+tnFVlMi9irxbNaqWQtRprDF/vEMoourlNjMvWSczAb8LbWFUuAr0QROPp/MikvVLRuQVi3anby/ZY/vmhiLWvdooqdr2wKeF813W9c=
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:176::18) by SY7P282MB4310.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:277::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7677.31; Mon, 17 Jun 2024 23:04:05 +0000
Received: from SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::52ae:1f1b:3154:7b5e]) by SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM ([fe80::52ae:1f1b:3154:7b5e%6]) with mapi id 15.20.7677.030; Mon, 17 Jun 2024 23:04:05 +0000
From: Geoff Huston <gih@apnic.net>
To: Paul Hoffman <paul.hoffman@icann.org>
Thread-Topic: [Ext] [DNSOP] To sign root-servers.net or not?
Thread-Index: AQHawPWoQaNAIo4dgka/6xC734pK9LHMdZ6AgAAdtgA=
Date: Mon, 17 Jun 2024 23:04:05 +0000
Message-ID: <2B612F68-5783-4BF4-9AE6-0BC711032FBC@apnic.net>
References: <CADyWQ+GH-8XsxPqCvBQ2p1mDwz1uG0+RPdyrKX8P=LRS6Am_aQ@mail.gmail.com> <426AA277-1698-4EE4-B3E9-745DB9EAA947@strandkip.nl> <CADyWQ+Hn260OEfcF8HEJ0jbfGOvL3GZnQN9=Bpod40TVxY8U_g@mail.gmail.com> <E257658D-F24C-4B84-929B-47FF3BCC1209@apnic.net> <0B3AB1AD-9A4C-41A1-BD20-6C13B590F3A0@icann.org>
In-Reply-To: <0B3AB1AD-9A4C-41A1-BD20-6C13B590F3A0@icann.org>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3774.600.62)
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=apnic.net;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SYZP282MB3169:EE_|SY7P282MB4310:EE_
x-ms-office365-filtering-correlation-id: 4401afe9-a103-4895-4896-08dc8f21c929
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230037|1800799021|376011|366013|38070700015;
x-microsoft-antispam-message-info: aBmGwwywXWjUuYPeY836+34b0a1e8r89xQIU8H4fFHe0pAO3sYNWHS9d/dG1higlYxK1KV2YqcYGMBa3sm30uCVyB6aJk66an+xI05w6D/GDFv4M8b2jgSy/aBUKJ7I1Lf8Zo8KoN91tUvPG3l8aUSP2aHASU7gcwV9EAitDOkWMMb26ASULoCzo8mrf65ey+TtEgXJSKV48i2tsfFlJl175Exdte75Npq3+g9qzk5SRoPhtCfNpU6Y9G8GKbrsYgt4uGEiw19ygel0k/rk6wCvwuBdF32w1MLaEE2F66SzAMAYq0hEV1z030DtloGRfl4RywQUDhls3tjS+enZr4qoyxxWZdGt4DPwbQmlLue8VRGhEFsIe1ZFa8g0iBd+rOv41uMPCCRKl3cfcoec8ZpoRgrF9Q2tdUPtWPxWPLMr3VYpmXDzJQiF8akUDiPVFBEpSSUqAdki5D5oWtCGj01gILFiblVn2sN62TGcjA6S9hFjRF+ADfvetXTI1TIeyj1S/UMQnTjtnJqg00ljjzO61ms59sthLgBaH7iNs7J3Nq/huhSNDdNbgPVehZD4t8/tTNGf3dWJjvA4XqJ8fmhK6HpQ2TY3pV5rblh9czYEYPmAdTsQ6Sej5RW/rF1zB7UHJg/2UZWDF45FBCCayLnNZaNGodehu6zyFdveKa/PgLOfIWD4UmPAjkxpiWfQBFpI31uTvnQdBfXrqXAXmqNQiYhA6kvAtarMiCFJGoOWKMCY+o1wi0nuU0BMDMmTTiMBTcP7Q9jkje0ylcfJP9Og9MbQhPe0inVV30jJ2Cve4Qjaf/ktBx6xhbgsk1xxEZ0tm005JBQ+Ua6M9g22ujdbEzGQVyRevpN52prqP4D7nSM7UUqSS40Vsx1+F8D5CwZC5Ypvbo6+sJDJ4V23AzHCibUia4+U8Gr5jAVaqZnh5WXKb1P2CW/aZqiB97DqRfZ7z/LRd//h4koJdmYjSBQ38GEsf9pihi50/ra7PrQTLhrqMrhtavsl22fCNsegHNOqjQzjA8/Mwn25K7YGK4KXI0Nurg9EmPp+1ojHkY4tqC1wqJ3YRCNKdDc649qldYbyHkXVdzFjYDVh4DMdKk8toUpFfsHZacSaAjT3WfI4JCOd0NiKNYvbqe3cm7dxo7SpoKakwnkdV05ufMnxJr5lM3KFCqwKdK5V4D/E6h9/AMan1QgDkAG0Rwp2spLh3skuNo59+3E+wrlEzxrM47UufAiiKDHq4b+uqu5Q9FtAPQNPvKtjIGHElrp0tbOvGW3PPSTAxA3Mkk+KjnV//8NqP8TAvPVk/iDCi1m8z41X80hMiwwj6Jef92I2YkAmb
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230037)(1800799021)(376011)(366013)(38070700015);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: g6RZvV4PJdmg5IjQTwaf9qTzNqZF96B4Yb7lZQNY6Ea4XSdYiHwexiCTEl8TVeeNInG8EMKJljRCaqT1nY7ji2oIM4IUNqDxnPLFGwaIzwKt3JczUJm2PenRL4KK6YXPpixkzY95XQtMdFMOyyHqwEsDFljGLqkoTLawwXXoIoswEi0L4RIFt08wboCQdfjgWDhXlMjI7RAEsoCDnbmN4J8Dd7Tyes2GZfe4pNQLuzPF9Zq+8GTrgEJnv3fW+CuY74CoWl54aMFrN+c3OeZcWl61IZNsiHwxLiKmXLaimjupxbEBku47+wxmOU31SB8SxFhgCQa9ggUrltxsRYNLSLaTX7DTCENfKK+uAqc8IGjn63ia6kg0fxaImaYWosPjgk+vU+rWdlmFPik6BXVYPN2O02Da8JQh+fl/xQlZuq4McG2F0NkGVAPYYILOYaJQIBItWHzVdHKueLy59Cobs0ztSzNVdcnXFpUcVYSyqcy2B22KOgZlYKyWmdQb4VZga+dmPIuAJDWWbeUIrAAN47LTa0UiJ8aX8SjXBmNC1jtLmVp/pv1wgVjfpP3dYeed8REaqTqAWIEu5Iy6NERdWuIkAS3d+RyZt9n7fy1+8Sm5Yl8DPEy2OWd+nuVWvmoNYL1LcgAg9ydBYj7KdXxVrm4ZYoUS4dpaUAtbp6r/VnOsXq9Mqy0porGOWwF5sF2GKP+aaeTHkyXoxkDinavqYy8uVx3V57SezFDXXfceKRwFlFg6Frm9I0FIWwJA3gjicSlV9qq0aGgUlOux8vuy3nUgTA4DlF5k6NtjKtxspx6sbSPnfc+g3z808xxbTp97Au7KhSMQYlRMmW4uKI71gp+3Rk5Gq+1uofNtmCE2VcpQZ9k6pOqedg2x+9Z2FqApiuhd+7VKL9SspbE96mBjhOy/hG2M6IpJCvJH7wNOgKJhYSuUkMspXAYrcYsrTkVtj1RvTxuxTgqCq07keuznB2ypy9iFPWxiVKLgo5DCohRazFe2x+YczuBLh3PWEQWdEWXr+9AYOIs3N7BxbNUGOa5mpCR4gL3n3wf0p0lq2vPdBLzpX/j1jqcugQ4K1H6KKNVYyXZocgJPEuRtjH2ffOctR9WL5Jk84ecsFdZEMc4GAV3mLebFqdi9/qG9GqGBT8tzMoZJuOEyVFOlUT5FMBdk2B6XgVeEVlKtcsva9susEhIwTVCT4sKxTX0f2UbeEdkNuytxSJWX42lNW08s/Msds6YXLz78ofxL0qJtcqzq+9VlWkATLFP1W0cPj+RPfhpp3fCyPFkigtD1GpNew9TerpF43U66XDdEHyCaXVhtCe5sJKKrjX5Y5fTDAmOohtVQF2qzpbSklfAl96/9E2gPOHu8U8dyeRH01P3UMFpeDOuOyKSqzJLk0XROvrr4V5Smx2xdQZICi17x5ZKrPrNIW0jJGiWhW4v1MqnB++52pm+wveJsjbTyCc26VGjo1uZf/e8aB/GiF10k9VEvoW4Lt5kkvPdBnQWcTe87eYDn0Jo8jkyPMOgG7TgypWaWaT54HN0b4bQUcU78aQYzM3L9svFdBnuF4RCzdRKOtp6I/98EVg0BEyZ5OEjndviORwjxxzjZtnMGeBb6ok06A974Ln78f7neIHn6tlxpWUuyE2iXdp9gsToGWleD31yf
Content-Type: multipart/signed; boundary="Apple-Mail=_ADBCE6A6-B63F-4C33-9264-7836464B37CE"; protocol="application/pkcs7-signature"; micalg="sha-256"
MIME-Version: 1.0
X-OriginatorOrg: apnic.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SYZP282MB3169.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 4401afe9-a103-4895-4896-08dc8f21c929
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jun 2024 23:04:05.1012 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 127d8d0d-7ccf-473d-ab09-6e44ad752ded
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 40t6uUzWbE5Rrb5uuK+b8dtXwtUpsLI08txSP4lxuU0o5MAtk8TMIPCwKjU4No04
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY7P282MB4310
Message-ID-Hash: 7FE6NAJH4BQDYRZMFP5CYIDRKYTCN3UE
X-Message-ID-Hash: 7FE6NAJH4BQDYRZMFP5CYIDRKYTCN3UE
X-MailFrom: gih@apnic.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] To sign root-servers.net or not?
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/3vhb0nfCN-6Kfnh27IZRZxHjm7Q>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Thanks for the pointer!

g


> On 18 Jun 2024, at 7:17 AM, Paul Hoffman <paul.hoffman@icann.org> wrote:
> 
> On Jun 17, 2024, at 13:33, Geoff Huston <gih@apnic.net> wrote:
>> 
>> [change of topic]
>> 
>> " things that the IETF may not have the final say on."
>> 
>> Possibly true in this case, but not having the final say is very different to "having a say"
>> 
>> I would find it interesting to understand the current state of thinking in DNSOP as to 
>> whether to DNSSEC-sign the root-servers.net zone. Are there folk with thoughts
>> and opinions on this topic?
> 
> Thoughts *and data*! A few weeks ago on this list (https://mailarchive.ietf.org/arch/msg/dnsop/JEChrjGKGhQzwo5dCuWZm4lcm5g) I posted:
> 
>> FWIW, this new text is somewhat based on the findings from NLnetLabs and SIDN on a project supported by ICANN. You can see the report, and an earlier report on a related topic, at:
>>  https://www.icann.org/resources/pages/octo-commissioned-documents-2020-11-05-en
> 
> --Paul Hoffman
>