On 2013-09-07, at 15:07, Paul Wouters <p...@nohats.ca> wrote: > On Sat, 7 Sep 2013, Florian Weimer wrote: > >> Well, there aren't any plans to sign ROOT-SERVERS.NET, are there? > > Why sign that when you have the DNSKEY via the DS anyway. You shouldn't > care which IP answers and whether they can spoof it. If one IP fails, > try another. If the attacker can rewrite all of that, you should > probably not be on that network.
Indeed, the only reason to sign ROOT-SERVERS.NET I have heard is that we want people to sign, and we want to set a good example, so signing that zone would be a good idea. I have not heard a convincing security argument for signing it. If there was a good reason, it could be signed. Joe _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
