Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

Mark Andrews <marka@isc.org> Wed, 15 January 2014 01:54 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BBF51AE10A for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 17:54:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.539
X-Spam-Level:
X-Spam-Status: No, score=-2.539 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0pn6IxTTxmn for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 17:54:47 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 4B1851AD8EE for <dnsop@ietf.org>; Tue, 14 Jan 2014 17:54:47 -0800 (PST)
Received: from mx.pao1.isc.org (localhost [127.0.0.1]) by mx.pao1.isc.org (Postfix) with ESMTP id D4787C9423; Wed, 15 Jan 2014 01:54:22 +0000 (UTC) (envelope-from marka@isc.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isc.org; s=dkim2012; t=1389750875; bh=ebv4y+HrPO+TGlkZw8XxmBAQMjxUKY8mhfsi7HonSmE=; h=To:Cc:From:References:Subject:In-reply-to:Date; b=VGgFE8KdCA84TYSMVR2Uu8AnkWrehxusMxhU67zRzS4/kk/6nwJro22i1MlmaFtLy FOEARRBQWZ/VJHyS8lyiaAFXWZebKapAWar8HBqFJzFbaknvn4yLQy1OQSJoGskIqF ft3nk6A3PKLMSO1RAtLbrvETgk6Z8i2mGqa2l+t4=
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.pao1.isc.org (Postfix) with ESMTP; Wed, 15 Jan 2014 01:54:22 +0000 (UTC) (envelope-from marka@isc.org)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 8CB79160459; Wed, 15 Jan 2014 02:05:14 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 5AE3D16032F; Wed, 15 Jan 2014 02:05:14 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 131D8CFC36E; Wed, 15 Jan 2014 12:54:20 +1100 (EST)
To: Doug Barton <dougb@dougbarton.us>
From: Mark Andrews <marka@isc.org>
References: <20140114172240.GO17198@mx1.yitter.info> <C6EFA413-1FFC-4188-B98A-13C747981FBC@hopcount.ca> <20140114200849.GA17907@mx1.yitter.info> <52D5D9C8.6050902@dougbarton.us> <52D5DB58.3040103@dougbarton.us>
In-reply-to: Your message of "Tue, 14 Jan 2014 16:50:32 -0800." <52D5DB58.3040103@dougbarton.us>
Date: Wed, 15 Jan 2014 12:54:19 +1100
Message-Id: <20140115015420.131D8CFC36E@rock.dv.isc.org>
X-DCC--Metrics: post.isc.org; whitelist
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2014 01:54:48 -0000

In message <52D5DB58.3040103@dougbarton.us>us>, Doug Barton writes:
> On 01/14/2014 04:43 PM, Doug Barton wrote:
> > Other than the DS records (if any) the records associated with a given
> > TLD (specifically the NS records) in the root are not signed.
> 
> ... obviously the glue records are not signed either of course. My point 
> was that it's the delegation that some paranoid countries don't want 
> removed, and DNSSEC isn't going to help that.
> 
> Doug

And anyone can take the existing root zone, add a delegation and
sign the result with any key of they control.  If a government was
to remove a ccTLD I would suspect that there would be hundreds of
people offering such zones.

Additionally you can just graft on a tld and associated trust anchor
with existing validators if you don't want to regenerate the root
or if you don't want to trust some random person to sign the root
zone for you you can do it that way.

Removal of a ccTLD would cause short term disruption but the net
as a whole would route around the breakage.  We have seen plenty
of examples of this in the past.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org