IETF Logo Mail Archive

Re: [DNSOP] On resolver priming

Paul Hoffman <paul.hoffman@vpnc.org> Sat, 13 November 2010 21:37 UTC

Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 391A83A69FE for <dnsop@core3.amsl.com>; Sat, 13 Nov 2010 13:37:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.535
X-Spam-Level:
X-Spam-Status: No, score=-100.535 tagged_above=-999 required=5 tests=[AWL=-0.348, BAYES_20=-0.74, HELO_MISMATCH_COM=0.553, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HZZcII8ftCIC for <dnsop@core3.amsl.com>; Sat, 13 Nov 2010 13:36:57 -0800 (PST)
Received: from hoffman.proper.com (Hoffman.Proper.COM [207.182.41.81]) by core3.amsl.com (Postfix) with ESMTP id 04B593A6BCA for <dnsop@ietf.org>; Sat, 13 Nov 2010 13:36:54 -0800 (PST)
Received: from [130.129.72.80] (dhcp-4850.meeting.ietf.org [130.129.72.80]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id oADLbLPu074662 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 13 Nov 2010 14:37:24 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
Mime-Version: 1.0
Message-Id: <p06240819c904b518c354@[130.129.72.80]>
In-Reply-To: <465427C4-153F-4947-B719-E62F8D9FFBFF@bondis.org>
References: <20101111100350.GA1997@shinkuro.com> <20101111184914.GA12031@DUL1MLARSON-M1.labs.vrsn.com> <p0624080fc902387a14c5@[130.129.37.235]> <046B85AE-F7E0-4166-AC5C-7CEFAEB5FC6A@virtualized.org> <p0624083cc9037a3d2cac@[130.129.37.235]> <465427C4-153F-4947-B719-E62F8D9FFBFF@bondis.org>
Date: Sun, 14 Nov 2010 05:37:21 +0800
To: Joao Damas <joao@bondis.org>
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Cc: dnsop@ietf.org, David Conrad <drc@virtualized.org>
Subject: Re: [DNSOP] On resolver priming
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Nov 2010 21:37:04 -0000

At 6:02 PM +0100 11/13/10, Joao Damas wrote:
>I would hope root-servers.net would have its own key and not simply use some other key that happens to be "lying around". Or did you mean signing of the DS record for root-servers.net?

Yes, of course.

>In any case .net is going to be signed within 6 weeks. I would be surprise if root-servers.net can get all the rubber stamps in place by then, so not having .net signed right now is not an argument against starting the root-servers.net process now.

+1

> > A different way to think of this problem is that the registrant of this zone, VeriSign, should simply sign the zone just like it does other zones it controls, such as verisign.net. It would be hard for VeriSign to claim that signing verisign.net is of more security value than signing root-servers.net.
> >
>
>the admin contact is the IANA, not Verisign.

Indeed, but according to whois, VeriSign is both the registrant and the technical contact. Having said that, it is quite reasonable for the admin contact to decide to sign a zone and ask the parent to publish the keys.

--Paul Hoffman, Director
--VPN Consortium

v2.23.0 | Report a Bug | By Email