Re: [DNSOP] Should root-servers.net be signed

Joe Abley <jabley@hopcount.ca> Mon, 08 March 2010 14:38 UTC

Return-Path: <jabley@hopcount.ca>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 467E93A699C for <dnsop@core3.amsl.com>; Mon, 8 Mar 2010 06:38:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wnshKji5mPwx for <dnsop@core3.amsl.com>; Mon, 8 Mar 2010 06:38:50 -0800 (PST)
Received: from monster.hopcount.ca (monster.hopcount.ca [216.235.14.38]) by core3.amsl.com (Postfix) with ESMTP id 347FB3A6904 for <dnsop@ietf.org>; Mon, 8 Mar 2010 06:38:50 -0800 (PST)
Received: from [199.212.90.17] (helo=dh17.r2.owls.hopcount.ca) by monster.hopcount.ca with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from <jabley@hopcount.ca>) id 1Noe8i-000P5w-7W; Mon, 08 Mar 2010 14:41:00 +0000
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: text/plain; charset="us-ascii"
From: Joe Abley <jabley@hopcount.ca>
X-Priority: 3
In-Reply-To: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
Date: Mon, 08 Mar 2010 09:38:50 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost>
To: George Barwood <george.barwood@blueyonder.co.uk>
X-Mailer: Apple Mail (2.1077)
X-SA-Exim-Connect-IP: 199.212.90.17
X-SA-Exim-Mail-From: jabley@hopcount.ca
X-SA-Exim-Scanned: No (on monster.hopcount.ca); SAEximRunCond expanded to false
Cc: dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 14:38:51 -0000

On 2010-03-07, at 03:06, George Barwood wrote:

> I have been wondering about this.

Our[*] reasoning so far with respect to signing ROOT-SERVERS.NET can I think be paraphrased as follows:

- if we sign ROOT-SERVERS.NET it will trigger large responses (the RRSIGs over the A and AAAA RRSets) which is a potential disadvantage
- if we do not sign ROOT-SERVERS.NET there is a threat that the unsigned A and AAAA RRSets from ROOT-SERVERS.NET might be spoofed somehow and that the spoofing will be undetected
- however, since the root zone is signed, validators can already tell when they are talking to a root server that serves bogus information
- signing ROOT-SERVERS.NET would result in potentially-harmful large responses with no increase in security
- let's not do that then

I also find Jim's point regarding NET rather compelling. If the NET zone is not signed, then validating responses from a signed ROOT-SERVERS.NET zone would require yet another trust anchor to be manually-configured.

It's hard for me to agree that the aggregate operational complexity involved in those manual trust anchors, and the potential effects of a KSK-roll without synchronised updating of that static configuration, represents a smaller risk than leaving the zone unsigned, at least for now.

If this logic is faulty then I'd love to hear about it.


Joe

[*] I say "our", but really I mean my personal recollection of conversations with other members of the root-signing design team some time ago, which I haven't cross-checked with anybody before hitting send.