Re: [DNSOP] On resolver priming

Joao Damas <joao@bondis.org> Sat, 13 November 2010 17:02 UTC

Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Joao Damas <joao@bondis.org>
In-Reply-To: <p0624083cc9037a3d2cac@[130.129.37.235]>
Date: Sat, 13 Nov 2010 18:02:47 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <465427C4-153F-4947-B719-E62F8D9FFBFF@bondis.org>
References: <20101111100350.GA1997@shinkuro.com> <20101111184914.GA12031@DUL1MLARSON-M1.labs.vrsn.com> <p0624080fc902387a14c5@[130.129.37.235]> <046B85AE-F7E0-4166-AC5C-7CEFAEB5FC6A@virtualized.org> <p0624083cc9037a3d2cac@[130.129.37.235]>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: dnsop@ietf.org, David Conrad <drc@virtualized.org>
Subject: Re: [DNSOP] On resolver priming
Precedence: list

On 13 Nov 2010, at 00:17, Paul Hoffman wrote:

> At 12:34 PM -0800 11/12/10, David Conrad wrote:
>> To me, It doesn't make a whole lot of sense to sign root-servers.net before .net is signed.  As long as there is commitment from relevant parties that root-servers.net will be signed within some fixed timeframe after .net is signed, I'd be satisfied.  But that's just me...
> 
> I didn't hear anyone asking for root-servers.net to be signed before .net is signed; it's kind of hard to sign a zone before its parent is, unless you are going to sign with a super-parent. To me, it would make more sense to sign root-servers.net with the .net key, not the root key.

I would hope root-servers.net would have its own key and not simply use some other key that happens to be "lying around". Or did you mean signing of the DS record for root-servers.net?
In any case .net is going to be signed within 6 weeks. I would be surprise if root-servers.net can get all the rubber stamps in place by then, so not having .net signed right now is not an argument against starting the root-servers.net process now.

> 
> A different way to think of this problem is that the registrant of this zone, VeriSign, should simply sign the zone just like it does other zones it controls, such as verisign.net. It would be hard for VeriSign to claim that signing verisign.net is of more security value than signing root-servers.net.
> 

the admin contact is the IANA, not Verisign.

Joao

[DNSOP] On resolver priming Andrew Sullivan
Re: [DNSOP] On resolver priming Frederico A C Neves
Re: [DNSOP] On resolver priming Joao Damas
Re: [DNSOP] On resolver priming Tony Finch
Re: [DNSOP] On resolver priming Matt Larson
Re: [DNSOP] On resolver priming bmanning
Re: [DNSOP] On resolver priming Griffiths, Chris
Re: [DNSOP] On resolver priming Paul Hoffman
Re: [DNSOP] On resolver priming Mark Andrews
Re: [DNSOP] On resolver priming W.C.A. Wijngaards
Re: [DNSOP] On resolver priming David Conrad
Re: [DNSOP] On resolver priming Paul Hoffman
Re: [DNSOP] On resolver priming Joao Damas
Re: [DNSOP] On resolver priming Paul Hoffman
Re: [DNSOP] On resolver priming Florian Weimer