[RZERC] rzerc-sign-root-servers-net-recommendation
Daniel Migault
mglt.biz at gmail.com
Thu Oct 8 23:00:30 UTC 2020
Hi,
Please find my comments regarding
rzerc-sign-root-servers-net-recommendation. Please
take these comments are random comments.
I am interpreting the text below as saying that
signing the A/AAAA RRSet would enforce the
DNS data being retrieved from the IP mentioned.
This does not seem correct as the signature only
provides evidence of ownership. I think the text
mentioned could be removed. I also find "doesn't
care" unappropriated.
"""
This means that DNSSEC can tell you whether or not
one got the correct data, but not whether or not
one got it from the correct server. In other
words, DNSSEC doesn’t care where data comes from,
only whether or not it has been modified.
"""
One threat seems that .net needs to properly
delegate "root-servers.net" and believe some
studies may be needed to see whether we should
provide means to protect against such error. Of
course this requires some risk considerations.
root-server.net and "." are in a chicken and egg
situation. I believe that we should maybe look at
having "." validate even if root-server.net does
not validate.
Recommendation 2 is unclear to me. I am unclear if
that includes revisiting DNSSEC. I doubt this is
appropriated at least at this time. If revisiting
DNSSEC is not in scope, than I believe that should
be stated explicitly. I believe the changes would
be limited to "root-servers.net" and ".". I also
suggest this being explicitly mentioned if that is
the intent.
It is unclear to me whether the points I suggested
are part of the first or second recommendation.
These could fit both.
We maybe should also clarify if we are waiting for
inputs regarding a new naming scheme - or
excluding this possibility.
Yours,
Daniel
--
Daniel Migault
Ericsson
Phone: +1 514-452-2160
More information about the RZERC
mailing list