Re: [DNSOP] Should root-servers.net be signed

Tony Finch <dot@dotat.at> Mon, 08 March 2010 19:35 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 190323A6B82 for <dnsop@core3.amsl.com>; Mon, 8 Mar 2010 11:35:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.422
X-Spam-Level:
X-Spam-Status: No, score=-6.422 tagged_above=-999 required=5 tests=[AWL=0.177, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nnwog50QKSzq for <dnsop@core3.amsl.com>; Mon, 8 Mar 2010 11:35:26 -0800 (PST)
Received: from ppsw-6.csi.cam.ac.uk (ppsw-6.csi.cam.ac.uk [131.111.8.136]) by core3.amsl.com (Postfix) with ESMTP id ECDD53A6B67 for <dnsop@ietf.org>; Mon, 8 Mar 2010 11:35:25 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:43521) by ppsw-6.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.156]:25) with esmtpa (EXTERNAL:fanf2) id 1Noijh-0005Kg-JU (Exim 4.70) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 08 Mar 2010 19:35:29 +0000
Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1Noijh-0008Hl-0t (Exim 4.67) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 08 Mar 2010 19:35:29 +0000
Date: Mon, 08 Mar 2010 19:35:29 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Joe Abley <jabley@hopcount.ca>
In-Reply-To: <A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca>
Message-ID: <alpine.LSU.2.00.1003081929020.1897@hermes-2.csi.cam.ac.uk>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca> <alpine.LSU.2.00.1003081614480.1897@hermes-2.csi.cam.ac.uk> <A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: George Barwood <george.barwood@blueyonder.co.uk>, dnsop@ietf.org
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2010 19:35:27 -0000

On Mon, 8 Mar 2010, Joe Abley wrote:
> On 2010-03-08, at 11:18, Tony Finch wrote:
> > On Mon, 8 Mar 2010, Joe Abley wrote:
> >>
> >
> >> - signing ROOT-SERVERS.NET would result in potentially-harmful large
> >> responses with no increase in security
> >
> > Can't you deal with this by omitting the root-servers.net RRSIGs from the
> > additional section of responses to queries to the root?
>
> Are you suggesting that we implement a coordinated code change to all
> root servers in the name of security or stability?

I suppose it was more a protocol / implementation question, along the
lines of BIND's minimal-responses option.

> Diversity in operation and code base is usually thought to be a strength
> of the root server system.

Yes, but I'm not sure how that has any bearing on the question.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
GERMAN BIGHT HUMBER: SOUTHWEST 5 TO 7. MODERATE OR ROUGH. SQUALLY SHOWERS.
MODERATE OR GOOD.