[DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 14 January 2014 17:22 UTC

Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 5C79B1AE113 for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 09:22:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.141
X-Spam-Status: No, score=-0.141 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 4nC2-zVZkSXX for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 09:22:54 -0800 (PST)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net []) by ietfa.amsl.com (Postfix) with ESMTP id 0551A1AE0DC for <dnsop@ietf.org>; Tue, 14 Jan 2014 09:22:53 -0800 (PST)
Received: from mx1.yitter.info (nat-02-mht.dyndns.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 5DD9F8A031 for <dnsop@ietf.org>; Tue, 14 Jan 2014 17:22:42 +0000 (UTC)
Date: Tue, 14 Jan 2014 12:22:40 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20140114172240.GO17198@mx1.yitter.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 17:22:55 -0000

Dear colleagues,

For my sins, I have been following some of the recent discussions
about "Internet governance".  One of the discussions over on the
"1net" list (http://1net-mail.1net.org/mailman/listinfo/discuss) is
about the control by one particular government of the DNS root zone,
and how uncomfortable that makes some other governments.  The
consequence has been renewed discussion on a somewhat older proposal
for splitting up the management of the root zone keys.  The proposal
can be found at

The proposal has the appealing property that nobody can "hijack" the
root, and if you don't trust any particular actor then the approach
ensures that it is at least technically difficult (or detectable) that
someone has acted alone.  But it has always seemed to me that the
approach would result in a very great increase in the size of the root
key RRset as well as the RRSIGs necessary at least over the DNSKEY
RRset.  One response to this
is, "So what?  It's the root.  It'll be widely cached, and TCP is a
small price to pay for this on the occasions it's needed."

I am not sure I am so sanguine, but this put in my mind the
draft-ietf-dnsop-respsize draft, which I now realise was never
published as an RFC.

I'd like this thread to discuss the "so what, use TCP!" remark.  I'd
also like to ask either the chairs or the WG whether
draft-ietf-dnsop-respsize-14 needs revision and, if so, what revision
to be publishable, because I think it's needed advice.

Best regards,


Andrew Sullivan