Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

Doug Barton <dougb@dougbarton.us> Wed, 15 January 2014 00:50 UTC

Return-Path: <dougb@dougbarton.us>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B233D1AE1B0 for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 16:50:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Level:
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fs_b5tJPo1Or for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 16:50:44 -0800 (PST)
Received: from dougbarton.us (dougbarton.us [208.79.90.218]) by ietfa.amsl.com (Postfix) with ESMTP id 9E15A1ADF47 for <dnsop@ietf.org>; Tue, 14 Jan 2014 16:50:44 -0800 (PST)
Received: from [IPv6:2001:470:d:5e7:6428:3c09:51ac:eee1] (unknown [IPv6:2001:470:d:5e7:6428:3c09:51ac:eee1]) by dougbarton.us (Postfix) with ESMTPSA id 418B722BC4 for <dnsop@ietf.org>; Wed, 15 Jan 2014 00:50:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dougbarton.us; s=dougbarton.us; t=1389747033; bh=LfX/AVgtTH8fd/3ocQbFIZmWdjSUayl3E64ZTjx20qA=; h=Date:From:To:Subject:References:In-Reply-To; b=Fo5TMXBlPAddzO2lZims6Bc0p8QEFYNblfmCyWkmN+n+clZ7bWja7SViqYCO0mLOg ZTXfMlE+CBYa3OFTtebuIKtSPgjz+TCqCfRVfvZ0f6FUdOMHn+SISehqJK3kcc41n0 Gtd0Jb4AWZdlR/0hsvbOXYnHgn8vHpL23vJsTaZ8=
Message-ID: <52D5DB58.3040103@dougbarton.us>
Date: Tue, 14 Jan 2014 16:50:32 -0800
From: Doug Barton <dougb@dougbarton.us>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: dnsop@ietf.org
References: <20140114172240.GO17198@mx1.yitter.info> <C6EFA413-1FFC-4188-B98A-13C747981FBC@hopcount.ca> <20140114200849.GA17907@mx1.yitter.info> <52D5D9C8.6050902@dougbarton.us>
In-Reply-To: <52D5D9C8.6050902@dougbarton.us>
X-Enigmail-Version: 1.6
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2014 00:50:45 -0000

On 01/14/2014 04:43 PM, Doug Barton wrote:
> Other than the DS records (if any) the records associated with a given
> TLD (specifically the NS records) in the root are not signed.

... obviously the glue records are not signed either of course. My point 
was that it's the delegation that some paranoid countries don't want 
removed, and DNSSEC isn't going to help that.

Doug