Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
Mark Andrews <marka@isc.org> Wed, 15 January 2014 01:54 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BBF51AE10A for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 17:54:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Level:
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0pn6IxTTxmn for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 17:54:47 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1851AD8EE for <dnsop@ietf.org>; Tue, 14 Jan 2014 17:54:47 -0800 (PST)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id D4787C9423; Wed, 15 Jan 2014 01:54:22 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1389750875; bh=ebv4y+HrPO+TGlkZw8XxmBAQMjxUKY8mhfsi7HonSmE=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=VGgFE8KdCA84TYSMVR2Uu8AnkWrehxusMxhU67zRzS4/kk/6nwJro22i1MlmaFtLy FOEARRBQWZ/VJHyS8lyiaAFXWZebKapAWar8HBqFJzFbaknvn4yLQy1OQSJoGskIqF ft3nk6A3PKLMSO1RAtLbrvETgk6Z8i2mGqa2l+t4=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Wed, 15 Jan 2014 01:54:22 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8CB79160459; Wed, 15 Jan 2014 02:05:14 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 5AE3D16032F; Wed, 15 Jan 2014 02:05:14 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 131D8CFC36E; Wed, 15 Jan 2014 12:54:20 +1100 (EST)
To: Doug Barton <dougb@dougbarton.us>
From: Mark Andrews <marka@isc.org>
References: <20140114172240.GO17198@mx1.yitter.info> <C6EFA413-1FFC-4188-B98A-13C747981FBC@hopcount.ca> <20140114200849.GA17907@mx1.yitter.info> <52D5D9C8.6050902@dougbarton.us> <52D5DB58.3040103@dougbarton.us>
In-reply-to: Your message of "Tue, 14 Jan 2014 16:50:32 -0800." <52D5DB58.3040103@dougbarton.us>
Date: Wed, 15 Jan 2014 12:54:19 +1100
Message-Id: <20140115015420.131D8CFC36E@rock.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2014 01:54:48 -0000
In message <52D5DB58.3040103@dougbarton.us>, Doug Barton writes: > On 01/14/2014 04:43 PM, Doug Barton wrote: > > Other than the DS records (if any) the records associated with a given > > TLD (specifically the NS records) in the root are not signed. > > ... obviously the glue records are not signed either of course. My point > was that it's the delegation that some paranoid countries don't want > removed, and DNSSEC isn't going to help that. > > Doug And anyone can take the existing root zone, add a delegation and sign the result with any key of they control. If a government was to remove a ccTLD I would suspect that there would be hundreds of people offering such zones. Additionally you can just graft on a tld and associated trust anchor with existing validators if you don't want to regenerate the root or if you don't want to trust some random person to sign the root zone for you you can do it that way. Removal of a ccTLD would cause short term disruption but the net as a whole would route around the breakage. We have seen plenty of examples of this in the past. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] More keys in the DNSKEY RRset at ., and d… Andrew Sullivan
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Joe Abley
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Andrew Sullivan
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… George Michaelson
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Joe Abley
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Paul Hoffman
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Doug Barton
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Doug Barton
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… George Michaelson
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Mark Andrews
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Tony Finch
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Tony Finch