Re: [DNSOP] the root is not special, everybody please stop obsessing over it

william manning <> Fri, 15 February 2019 02:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id BEB99130EB5 for <>; Thu, 14 Feb 2019 18:48:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lNx7RaGz4FtE for <>; Thu, 14 Feb 2019 18:48:38 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::c2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 55314130DE3 for <>; Thu, 14 Feb 2019 18:48:38 -0800 (PST)
Received: by with SMTP id c67so3177859ywa.7 for <>; Thu, 14 Feb 2019 18:48:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GzQECA5PynLsKL+t3VTbCyjFNbmSYTvoj/D+KAEhD64=; b=qHfJVhjteZV6TdFxK2Los+wD8Se0s7xxylF0DRU64LGKXBaXKNS8raPHTPKVMsQfFo 2JXsBdXgQ7WA/Y/WqrbN2GmZEZfSq68JB2O0YX/SdJ66KRTlHIVMUo5i/DBI2BSe7zja CTjr0wqRayrzG5Ty+gsItSvgEcc/Df34SLZQWGglKpqYCIRg6zqs+s3O/iD+9rAEsCq8 2/9EcF9wU0mwApscOtRJnBG1kq9CQxDoMFXKYH1jRHgJHKhp742AEad1CKwD/Og0eFIs WvebOdpCzhTIuOvu+FDQYNwnxuwuTnhNmbeZPkfIwR2/dJeS439JmmCXzBB99qEWr5ED dyOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GzQECA5PynLsKL+t3VTbCyjFNbmSYTvoj/D+KAEhD64=; b=MYtW3lPN5tx9wXAFbPmwRRLyxgqSRod5ItzACbGWnQ+LOP/7iOvBs0ILCIsYkDF5VX vzMTYILq92r1gqGZY9YwsDzKAzdoZsqwIlD+Clae2hkq/7067nw+ZTDw5P78UwitAAWq ZjWvp5fjWasgvii5Bb4EOKcpLhXmLhPb7BddR9vJNq/0An2qI62MjTVPq3Uw8Qc0zW8a 4jdN8dpdmHJ7pVOQU1Zp6rPC53DHJiAYPmRxWxvSDlJCpzsTIeVyiw7lI+aFHH6KSaYs IqW9w+/ImnY0nAbp/gFadqE5UkDMEhJsoo/LY52GqqVsi02cUfJYcpx9iZPxgwuUdZaW twhA==
X-Gm-Message-State: AHQUAublhgPUOQq2DTIdoWAUsB2MJW1rKOmKi8p0zBhOUcrdlSywzlcX tMtdvcRObtVXqVdKbWHAnczKg3nF4UxU32ljUm0=
X-Google-Smtp-Source: AHgI3Ia1yYNI/aobLWMx6le9+eTYXCGOi5NdZo0sFPbXtmRYCQCsZKQBA6BJJIg3cCBnQo+s99YaWqdP65dA7PP+0AM=
X-Received: by 2002:a81:63d4:: with SMTP id x203mr5877232ywb.82.1550198917210; Thu, 14 Feb 2019 18:48:37 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: william manning <>
Date: Thu, 14 Feb 2019 18:48:26 -0800
Message-ID: <>
To: Paul Vixie <>
Cc: Evan Hunt <>, IETF DNSOP WG <>
Content-Type: multipart/alternative; boundary="000000000000caa7af0581e5cfad"
Archived-At: <>
Subject: Re: [DNSOP] the root is not special, everybody please stop obsessing over it
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Feb 2019 02:48:41 -0000

You are welcome.  I think, modulo minor differences in terminology, we are
saying pretty much the same thing.
pragmatically, DNS infrastructure dependencies can not be maintained and
work on data resiliency is where the useful work lies.


On Thu, Feb 14, 2019 at 5:51 PM Paul Vixie <> wrote:

> william manning wrote on 2019-02-14 17:35:
> > so, you would like the DNS to be resilient enough to "see" what was
> > topologically reachable and build a connected graph of those assets?
> no. that's not possible, and not desireable in any case.
> > I think that has been done, both academically and in a more limited way,
> > commercially, but its not called DNS so as not to upset the DNS mafia.
> > Or do you want something more restrictive than that?
> i want the metadata i need to reach and trust assets on my side of any
> connectivity loss event, to be kept in warm storage, and made subject to
> trusted invalidation on an opportunistic basis, at the discretion of the
> authority operators who own the data i have warm copies of.
> in practice this means DS/NS and DNSKEY/RRSIG and AAAA/A from my static
> trust anchor(s) down to any data i used recently or frequently (or by
> some other priority scheme), and i want it to look a bit like the single
> transaction mode of IXFR plus the single transaction mode of NOTIFY.
> no topology information as to actual connectivity will be modeled or
> estimated or needed. what matters is whether i can still reach all
> internet resources on my side of a break in connectivity (whether local
> or regional or distant), without needing any information that's
> otherwise only available on the far side of the connectivity break.
> thanks for asking; i am happy to clarify. DNS infrastructure should not
> be centralized, even if its content remains centrally coordinated by
> ICANN. (block chain people keep telling me that ICANN will be obsolete,
> but i'm not taking a position on that, only on data resiliency.)
> --
> P Vixie