[rssac-caucus] FOR REVIEW: Technical Analysis of the Naming Scheme used for Individual Root Servers
Wessels, Duane
dwessels at verisign.com
Thu Oct 27 17:04:43 UTC 2016
Hi Steve,
I've reviewed the document and made a bunch of comments in the attached copy.
I'm really concerned about one thing however. It seems to be a foregone conclusion that the priming response data must be fully DNSSEC-validatable. Every proposed naming scheme other than "current" talks about fully signed data. The document makes vague references to DNSSEC protecting resolvers from "various name-based attacks" but does not say what these attacks are. There might be legitimate attacks but I don't think they are data integrity attacks. I'd like to see more discussion on the tradeoffs of a validatable vs unvalidatable priming response. For some naming schemes adding DNSSEC increases complexity.
I think it would be useful to know how current recursive name server implementations behave with respect to setting DO=1 in their priming queries, if they do any validation of the response, and if so, how they handle a bogus response.
The document devotes a lot to concerns about the size of a priming response. Perhaps RSSAC should recommend a specific upper limit on priming response size, which could then be used to evaluate the various naming schemes.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 13 October Root Servers Naming Scheme DW.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 63855 bytes
Desc: 13 October Root Servers Naming Scheme DW.docx
URL: <http://mm.icann.org/pipermail/rssac-caucus/attachments/20161027/f767be78/13OctoberRootServersNamingSchemeDW.docx>
More information about the rssac-caucus
mailing list