[RZERC] rzerc-sign-root-servers-net-recommendation

Wessels, Duane dwessels at verisign.com
Fri Oct 16 20:16:13 UTC 2020 


> On Oct 8, 2020, at 4:00 PM, Daniel Migault <mglt.biz at gmail.com> wrote:
> 
> Hi,
> 
> Please find my comments regarding
> rzerc-sign-root-servers-net-recommendation. Please
> take these comments are random comments.

Thanks Daniel,

> 
> I am interpreting the text below as saying that
> signing the A/AAAA RRSet would enforce  the
> DNS data being retrieved from the IP mentioned.
> This does not seem correct as the signature only
> provides evidence of ownership.

The document is not saying that it would enforce data
being retrieved from those addresses.  But it is saying
that validators *could* validate those address records, 
and presumably drop any invalid data.

I'm not sure what you mean by evidence of ownership.
In RFC-speak, it would be accurate to say that DNSSEC
provides "data origin authentication."

> I think the text
> mentioned could be removed.  I also find "doesn't
> care" unappropriated.

I've changed the "doesn't care" part to something less
informal.

> 
> """
> This means that DNSSEC can tell you whether or not
> one got the correct data, but not whether or not
> one got it from the correct server. In other
> words, DNSSEC doesn’t care where data comes from,
> only whether or not it has been modified.
> """



> 
> One threat seems that .net needs to properly
> delegate "root-servers.net" and believe some
> studies may be needed to see whether we should
> provide means to protect against such error. Of
> course this requires some risk considerations.

I think you're referring to the DS part of the delegation
if the zone were to be signed?

root-servers.net has been properly delegated since
it was created.

> 
> root-server.net and "." are in a chicken and egg
> situation. I believe that we should maybe look at
> having "." validate even if root-server.net does
> not validate.

RZERC has decided to not make any recommendations
on specific ways of getting to signed root name
server data (such as signing root-servers.net).

Instead RZERC will recommend further studies of
the various alternatives.  Signing root-servers.net
would be one alternative, but renaming the root
server identities would be another.

> 
> Recommendation 2 is unclear to me. I am unclear if
> that includes revisiting DNSSEC. I doubt this is
> appropriated at least at this time. If revisiting
> DNSSEC is not in scope, than I believe that should
> be stated explicitly. I believe the changes would
> be limited to "root-servers.net" and ".". I also
> suggest this being explicitly mentioned if that is
> the intent.

Howard offered to clarify this recommendation since 
I didn't capture his original intent very well.  Hopefully
he can provide that soon.

> 
> It is unclear to me whether the points I suggested
> are part of the first or second recommendation.
> These could fit both.
> 
> We maybe should also clarify if we are waiting for
> inputs regarding a new naming scheme - or
> excluding this possibility.

That is part of the further study work that we will ask ICANN to do.

DW


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4695 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/rzerc/attachments/20201016/84db1bae/smime.p7s>

More information about the RZERC mailing list