IETF Logo Mail Archive

[DNSOP] Re: Updates to root zone access and redesign of updates

Paul Vixie <paul@redbarn.org> Thu, 13 November 2025 07:00 UTC

Return-Path: <paul@redbarn.org>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 7D3F988950D0 for <dnsop@mail2.ietf.org>; Wed, 12 Nov 2025 23:00:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=redbarn.org
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kWjvmCTGoUPJ for <dnsop@mail2.ietf.org>; Wed, 12 Nov 2025 23:00:55 -0800 (PST)
Received: from util.redbarn.org (util.redbarn.org [IPv6:2001:559:8000:cd::222]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C2B3E8895011 for <dnsop@ietf.org>; Wed, 12 Nov 2025 23:00:08 -0800 (PST)
Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "*.redbarn.org", Issuer "RapidSSL TLS RSA CA G1" (not verified)) by util.redbarn.org (Postfix) with ESMTPS id AB772160BFE for <dnsop@ietf.org>; Thu, 13 Nov 2025 07:00:01 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=redbarn.org; s=util; t=1763017201; bh=INm7VBVhP3yF5kDhY7zHQAq5y3QcuamkdJuK+G1riCQ=; h=From:To:Subject:Date:In-Reply-To:References; b=lpb5Gp1ph6mCYvV6ru43Jess7R0KATX5RgDTABBpGjeOcfzGrG24MWuxyXK/4Op76 MQdCBYlMkp9yYb5cP5zDEUYvb2nMIZSt5TAQr7iyINI2qaaKEmBYJyptjhXqLQ9TJ9 NkDQwHmRVIOAxFIvAtAOIUFl8f0CqQfW7r2/JWro=
Received: from localhost.localnet (unknown [128.97.176.148]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id 7BFB69; Thu, 13 Nov 2025 07:00:01 +0000 (UTC)
From: Paul Vixie <paul@redbarn.org>
To: dnsop@ietf.org
Date: Thu, 13 Nov 2025 07:00:00 +0000
Message-ID: <2321130.vFx2qVVIhK@localhost>
Organization: FW
In-Reply-To: <CABf5zvLEohP2bVaZejg+swe25w_USzgD2KJ79ppdAy_EVpRFig@mail.gmail.com>
References: <e88ca64d-c439-41dd-a82b-b89e404ab840@desec.io> <20251113020309.B9403E7606D0@ary.qy> <CABf5zvLEohP2bVaZejg+swe25w_USzgD2KJ79ppdAy_EVpRFig@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="nextPart2759133.lGaqSPkdTl"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: VBJYW4JPXYUMJDJMTJ66CZLGIUQRQX4X
X-Message-ID-Hash: VBJYW4JPXYUMJDJMTJ66CZLGIUQRQX4X
X-MailFrom: paul@redbarn.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: Updates to root zone access and redesign of updates
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Nj7Es8071xj_xqFF_oMKu7KNoNQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Donderdag 13 November 2025 05:07:30 UTC Steve Crocker wrote:
> ...
> 
> [Levine] argue the USG could require the USG root operators, E, G and H, to
> simply not respond to queries for .ru, .su, ."rho phi" or the USG could
> force distribution of a modified root zone that would be unsigned or have
> an invalid the signature.  But I think everyone would quickly ignore the
> unsigned or invalidly signed root zone and remove the E G and H roots from
> their list of root servers.

i agree.

> The above is, as you said, all at the technical level.  Another reason for
> implementing strong technical controls is it sends a clear message that
> root zone integrity is taken seriously, and makes it less likely the USG
> would try to subvert it.

one of the things we showed in the Yeti DNS project a few years ago is that fetching a 
zone, stripping its keys and signatures, adding an equivalent local set of keys and 
signatures, and republishing the modified zone to a trusting community of rdns 
operators, allows for modifications. our only modification was to replace the apex NS 
RRset, which was the actual purpose of the Yeti DNS experiment. however, the dnssec 
implications of our prework were profound.

i do not know why every nation and every large corporation doesn't do this, and make it a 
matter of local law or policy that the economy must trust the replacement key and use 
the replacement servers for priming. i'm glad they don't, but it would (technically 
speaking) work just fine.

-- 
Paul Vixie

v2.46.0 | Report a Bug | By Email | System Status