Re: [DNSOP] Should be signed

Joe Abley <> Mon, 08 March 2010 14:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 467E93A699C for <>; Mon, 8 Mar 2010 06:38:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wnshKji5mPwx for <>; Mon, 8 Mar 2010 06:38:50 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 347FB3A6904 for <>; Mon, 8 Mar 2010 06:38:50 -0800 (PST)
Received: from [] ( by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <>) id 1Noe8i-000P5w-7W; Mon, 08 Mar 2010 14:41:00 +0000
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <>
X-Priority: 3
In-Reply-To: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
Date: Mon, 08 Mar 2010 09:38:50 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
To: George Barwood <>
X-Mailer: Apple Mail (2.1077)
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Subject: Re: [DNSOP] Should be signed
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Mar 2010 14:38:51 -0000

On 2010-03-07, at 03:06, George Barwood wrote:

> I have been wondering about this.

Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be paraphrased as follows:

- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over the A and AAAA RRSets) which is a potential disadvantage
- if we do not sign ROOT-SERVERS.NET there is a threat that the unsigned A and AAAA RRSets from ROOT-SERVERS.NET might be spoofed somehow and that the spoofing will be undetected
- however, since the root zone is signed, validators can already tell when they are talking to a root server that serves bogus information
- signing ROOT-SERVERS.NET would result in potentially-harmful large responses with no increase in security
- let's not do that then

I also find Jim's point regarding NET rather compelling. If the NET zone is not signed, then validating responses from a signed ROOT-SERVERS.NET zone would require yet another trust anchor to be manually-configured.

It's hard for me to agree that the aggregate operational complexity involved in those manual trust anchors, and the potential effects of a KSK-roll without synchronised updating of that static configuration, represents a smaller risk than leaving the zone unsigned, at least for now.

If this logic is faulty then I'd love to hear about it.


[*] I say "our", but really I mean my personal recollection of conversations with other members of the root-signing design team some time ago, which I haven't cross-checked with anybody before hitting send.