Re: [DNSOP] Should root-servers.net be signed

Matt Larson <mlarson@verisign.com> Tue, 09 March 2010 19:16 UTC

Return-Path: <mlarson@verisign.com>
X-Original-To: dnsop@core3.amsl.com
Delivered-To: dnsop@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA3273A69FB for <dnsop@core3.amsl.com>; Tue, 9 Mar 2010 11:16:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EEJpwxWJX15u for <dnsop@core3.amsl.com>; Tue, 9 Mar 2010 11:16:32 -0800 (PST)
Received: from mail.kahlerlarson.org (tornado.kahlerlarson.org [64.22.125.99]) by core3.amsl.com (Postfix) with ESMTP id 2D7773A6A08 for <dnsop@ietf.org>; Tue, 9 Mar 2010 11:16:26 -0800 (PST)
Received: from dul1mcmlarson-l1-2.local (localhost.localdomain [127.0.0.1]) by mail.kahlerlarson.org (Postfix) with ESMTP id 1C9D337CF3 for <dnsop@ietf.org>; Tue, 9 Mar 2010 14:16:30 -0500 (EST)
Date: Tue, 09 Mar 2010 14:16:29 -0500
From: Matt Larson <mlarson@verisign.com>
To: dnsop@ietf.org
Message-ID: <20100309191629.GL5108@dul1mcmlarson-l1-2.local>
References: <2AA0F45200E147D1ADC86A4B373C3D46@localhost> <0E169711-92DC-4AEA-AA81-718F298D1645@hopcount.ca> <alpine.LSU.2.00.1003081614480.1897@hermes-2.csi.cam.ac.uk> <A2D7C5EE-9937-4529-A28F-23296485A8B2@hopcount.ca> <alpine.LSU.2.00.1003081929020.1897@hermes-2.csi.cam.ac.uk> <4B9629FF.8010400@nlnetlabs.nl> <20100309145352.GB5108@dul1mcmlarson-l1-2.local> <alpine.LSU.2.00.1003091650490.1923@hermes-2.csi.cam.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.LSU.2.00.1003091650490.1923@hermes-2.csi.cam.ac.uk>
User-Agent: Mutt/1.5.18 (2008-05-17)
Subject: Re: [DNSOP] Should root-servers.net be signed
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Mar 2010 19:16:44 -0000

On Tue, 09 Mar 2010, Tony Finch wrote:
> On Tue, 9 Mar 2010, Matt Larson wrote:
> >
> > Even after .net is signed (in Q4 2010)
> 
> I note that Verisign's press releases say "by Q1 2011" which I find rather
> hard to interpret. Why don't they say "by the start of 2011"? Do they mean
> "in Q1 2011"?

Those are calendar quarters.  When encountering "by Q1 2011", I think
it is safe to assume that what is meant is "by the end of Q1 2011".
That is the intent in this particular case.

> People on Twitter have been saying today that Verisign are planning to
> sign "during the first half of 2011" though the link they are pointing to
> says "by the first half of 2011".
> http://searchsecurity.techtarget.com/video/0,297151,sid14_gci1411162,00.html?track=sy160
> 
> What is the date of the actual deployment deadline?

I don't know the source for the text on that web page, but the intent
has been to consistently communicate that .net will signed during Q4
2010 and that .com will be signed during Q1 2011.

> > There is definitely a trade-off between increased response size and the
> > incremental benefits of signing that needs to be weighed and evaluated.
> 
> In what situations is the larger response size a problem for
> root-servers.net? Why isn't it a problem for any other domain?

I didn't mean to imply that it wasn't.  If the address records
corresponding to a zone's name servers do not in reside in the zone
itself, I'd give strong consideration to not signing the zone
containing those address records.  For example, .com and .net are
hosted on servers named in the gtld-servers.net zone, and we are not
necessarily going to sign the gtld-servers.net zone (at least not
right away): it's a question that needs careful weighing of the
trade-offs.  Admittedly, the root zone is special becase its apex NS
RRset is queried for (./IN/NS priming queries), whereas other zones
don't receive such queries as part of the normal resolution process.

Matt