[RZERC] rzerc-sign-root-servers-net-recommendation
Wessels, Duane
dwessels at verisign.com
Fri Oct 16 20:16:13 UTC 2020
> On Oct 8, 2020, at 4:00 PM, Daniel Migault <mglt.biz at gmail.com> wrote:
>
> Hi,
>
> Please find my comments regarding
> rzerc-sign-root-servers-net-recommendation. Please
> take these comments are random comments.
Thanks Daniel,
>
> I am interpreting the text below as saying that
> signing the A/AAAA RRSet would enforce the
> DNS data being retrieved from the IP mentioned.
> This does not seem correct as the signature only
> provides evidence of ownership.
The document is not saying that it would enforce data
being retrieved from those addresses. But it is saying
that validators *could* validate those address records,
and presumably drop any invalid data.
I'm not sure what you mean by evidence of ownership.
In RFC-speak, it would be accurate to say that DNSSEC
provides "data origin authentication."
> I think the text
> mentioned could be removed. I also find "doesn't
> care" unappropriated.
I've changed the "doesn't care" part to something less
informal.
>
> """
> This means that DNSSEC can tell you whether or not
> one got the correct data, but not whether or not
> one got it from the correct server. In other
> words, DNSSEC doesn’t care where data comes from,
> only whether or not it has been modified.
> """
>
> One threat seems that .net needs to properly
> delegate "root-servers.net" and believe some
> studies may be needed to see whether we should
> provide means to protect against such error. Of
> course this requires some risk considerations.
I think you're referring to the DS part of the delegation
if the zone were to be signed?
root-servers.net has been properly delegated since
it was created.
>
> root-server.net and "." are in a chicken and egg
> situation. I believe that we should maybe look at
> having "." validate even if root-server.net does
> not validate.
RZERC has decided to not make any recommendations
on specific ways of getting to signed root name
server data (such as signing root-servers.net).
Instead RZERC will recommend further studies of
the various alternatives. Signing root-servers.net
would be one alternative, but renaming the root
server identities would be another.
>
> Recommendation 2 is unclear to me. I am unclear if
> that includes revisiting DNSSEC. I doubt this is
> appropriated at least at this time. If revisiting
> DNSSEC is not in scope, than I believe that should
> be stated explicitly. I believe the changes would
> be limited to "root-servers.net" and ".". I also
> suggest this being explicitly mentioned if that is
> the intent.
Howard offered to clarify this recommendation since
I didn't capture his original intent very well. Hopefully
he can provide that soon.
>
> It is unclear to me whether the points I suggested
> are part of the first or second recommendation.
> These could fit both.
>
> We maybe should also clarify if we are waiting for
> inputs regarding a new naming scheme - or
> excluding this possibility.
That is part of the further study work that we will ask ICANN to do.
DW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4695 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/rzerc/attachments/20201016/84db1bae/smime.p7s>
More information about the RZERC
mailing list