[DNSOP] Re: [Ext] To sign root-servers.net or not?

Paul Hoffman <paul.hoffman@icann.org> Mon, 17 June 2024 21:17 UTC

Return-Path: <paul.hoffman@icann.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F144AC1516F3 for <dnsop@ietfa.amsl.com>; Mon, 17 Jun 2024 14:17:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.207
X-Spam-Level:
X-Spam-Status: No, score=-4.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V6yDKqnvgiyx for <dnsop@ietfa.amsl.com>; Mon, 17 Jun 2024 14:17:39 -0700 (PDT)
Received: from ppa2.lax.icann.org (ppa2.lax.icann.org [192.0.33.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06AE2C15108B for <dnsop@ietf.org>; Mon, 17 Jun 2024 14:17:39 -0700 (PDT)
Received: from MBX112-W2-CO-1.pexch112.icann.org (out.mail.icann.org [64.78.33.5]) by ppa2.lax.icann.org (8.18.1.2/8.18.1.2) with ESMTPS id 45HLHYiF022661 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 17 Jun 2024 21:17:34 GMT
Received: from MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) by MBX112-W2-CO-1.pexch112.icann.org (10.226.41.128) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Mon, 17 Jun 2024 14:17:33 -0700
Received: from MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) by MBX112-W2-CO-1.pexch112.icann.org ([169.254.44.235]) with mapi id 15.02.1258.034; Mon, 17 Jun 2024 14:17:33 -0700
From: Paul Hoffman <paul.hoffman@icann.org>
To: Geoff Huston <gih@apnic.net>
Thread-Topic: [Ext] [DNSOP] To sign root-servers.net or not?
Thread-Index: AQHawPXBxUnbE/REDkeHzd0aBMLVO7HM6vUA
Date: Mon, 17 Jun 2024 21:17:33 +0000
Message-ID: <0B3AB1AD-9A4C-41A1-BD20-6C13B590F3A0@icann.org>
References: <CADyWQ+GH-8XsxPqCvBQ2p1mDwz1uG0+RPdyrKX8P=LRS6Am_aQ@mail.gmail.com> <426AA277-1698-4EE4-B3E9-745DB9EAA947@strandkip.nl> <CADyWQ+Hn260OEfcF8HEJ0jbfGOvL3GZnQN9=Bpod40TVxY8U_g@mail.gmail.com> <E257658D-F24C-4B84-929B-47FF3BCC1209@apnic.net>
In-Reply-To: <E257658D-F24C-4B84-929B-47FF3BCC1209@apnic.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.0.32.234]
x-source-routing-agent: True
Content-Type: text/plain; charset="us-ascii"
Content-ID: <AD6B0FFA1404E24FA69A3DFE889FDCCC@pexch112.icann.org>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-06-17_14,2024-06-17_01,2024-05-17_01
Message-ID-Hash: KXCHIBGOT7QYODEDWMJDESPNJWXGLNO2
X-Message-ID-Hash: KXCHIBGOT7QYODEDWMJDESPNJWXGLNO2
X-MailFrom: paul.hoffman@icann.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dnsop <dnsop@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [Ext] To sign root-servers.net or not?
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Qv5x_R8hYJNvAbCAj-ZR8P9E1Eg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

On Jun 17, 2024, at 13:33, Geoff Huston <gih@apnic.net> wrote:
> 
> [change of topic]
> 
> " things that the IETF may not have the final say on."
> 
> Possibly true in this case, but not having the final say is very different to "having a say"
> 
> I would find it interesting to understand the current state of thinking in DNSOP as to 
> whether to DNSSEC-sign the root-servers.net zone. Are there folk with thoughts
> and opinions on this topic?

Thoughts *and data*! A few weeks ago on this list (https://mailarchive.ietf.org/arch/msg/dnsop/JEChrjGKGhQzwo5dCuWZm4lcm5g) I posted:

> FWIW, this new text is somewhat based on the findings from NLnetLabs and SIDN on a project supported by ICANN. You can see the report, and an earlier report on a related topic, at:
>   https://www.icann.org/resources/pages/octo-commissioned-documents-2020-11-05-en

--Paul Hoffman