[dns-wg] Re: root zone signing

Dima,

On Oct 20, 2008, at 9:55 AM, Dmitry Burkov wrote:
> for me the issue - as I wrote in previous email to Joao - it is how  
> it can be used in software in future.

As I'm sure you're aware, the only thing DNSSEC-signing the root does  
is allow for validating resolvers to verify the data from the root  
zone hasn't been modified from the point at which it was signed to the  
point at which it is used by the validating resolver.  If  
{IANA,VeriSign,NTIA} were to do something "bad", the contents of the  
root zone would be altered, regardless of whether the root zone were  
signed.  In order to avoid this badness, operators of caching servers  
would need to modify their root hints to point to root servers serving  
non-bad data or take other steps that mucked with the caching server's  
configuration.  If the root were DNSSEC-signed, the configuration  
mucking would need to include changing the root trust anchor.

I don't see the significantly increased risk here by adding DNSSEC.

> After that I want to remind that the political world is not  
> hierarchical - and when we put something with legal background to  
> technical implementation it will immediately raise political issues  
> as it does not reflect reality.

Sorry?  What legal background are you talking about?

As for reflecting reality, I'm gathering what you're referencing is  
the fact that the US government has an authorization role in root  
management.  First: none of the scenarios for DNSSEC-signing the root  
changes this, so we'd be no better or worse off than we are now.   
Second: lots of governments, many of which are in Europe, support the  
US government having the role it does in root zone management.  Given  
this, I suspect it is unlikely there will be a change in roles for the  
foreseeable future.  It would be unfortunate if DNSSEC-signing the  
root were held back because of this.

Regards,
-drc