Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn

Doug Barton <> Wed, 15 January 2014 00:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 181A71AE194 for <>; Tue, 14 Jan 2014 16:44:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id TPv8QGRqn1GF for <>; Tue, 14 Jan 2014 16:44:06 -0800 (PST)
Received: from ( [IPv6:2607:f2f8:ab14::2]) by (Postfix) with ESMTP id 05C801ADF47 for <>; Tue, 14 Jan 2014 16:44:06 -0800 (PST)
Received: from [IPv6:2001:470:d:5e7:6428:3c09:51ac:eee1] (unknown [IPv6:2001:470:d:5e7:6428:3c09:51ac:eee1]) by (Postfix) with ESMTPSA id B374222B2C for <>; Wed, 15 Jan 2014 00:43:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; t=1389746633; bh=+ghjNAbVA5E2b5UZzG1LxMNcIDvcbMkx0V/jrrI9znU=; h=Date:From:To:Subject:References:In-Reply-To; b=cUjX55Ed/pWCTWTOkM6zdJlpvErkz0GKv5LMhXg3xTOE0NAh3Xt3t/rJU97yMJtRs otHluEVAMMXnCSfF1ks1rA/AaW/LTKSkYfvOC3Ue1kkUZKq1ZPjumDTZBQlszGWEeh r5X7RH2Kd4ElLI8neTo8igva+3zWrJJ26dJJkzdQ=
Message-ID: <>
Date: Tue, 14 Jan 2014 16:43:52 -0800
From: Doug Barton <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.6
OpenPGP: id=1A1ABC84
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Jan 2014 00:44:07 -0000

On 01/14/2014 12:08 PM, Andrew Sullivan wrote:
> Good point.  I think the idea is that this is a feature, because it's
> supposed to be the Mutually-Assured Destruction threat that will
> prevent the USG from unilaterally removing some country from the root
> zone (that seems to be the threat people are worried about.

It historically has been the main threat that several countries are 
worried about, however DNSSEC doesn't do anything to stop it. Other than 
the DS records (if any) the records associated with a given TLD 
(specifically the NS records) in the root are not signed.

Of course as DNSSEC becomes more important removal of the DS records 
will become correspondingly more important, but that's not the threat 
that these people care about.