On 15 Dec 2017, at 7:37, Joe Abley wrote:
On 15 Dec 2017, at 10:31, Paul Hoffman <paul.hoff...@vpnc.org> wrote:
On 14 Dec 2017, at 21:45, Geoff Huston wrote:
I agree the mechanics of the change in the text, and even in the
code for support this are pretty minor, but I am slightly worried
about the intended generality of the proposed change being a small
step too far, so I am curious to understand why you are advocating
this change.
Because the root zone is not special for DNSSEC.
I agree with that philosophically, but not practically.
In practical terms anybody who has a non-root trust anchor installed
has a bidirectional operational relationship with the people who
publish it. Synchronising that trust anchor, with the glorious benefit
of a full list of relying parties and knowledge of how to interact
with them, is a far cry from the situation we find ourselves in with
the root zone.
Fully agree. But you don't say why that should prevent a resolver's user
from testing that.
While it's conceptually elegant to have this mechanism easily
available to the operator of nameservers for any zone, it's not clear
to me that this is supported by a tangible use case.
A TLD operator who doesn't really like the fact that ICANN and Verisign
control the contents of the root zone declares that their KSK has tag
12321 and will have that tag until further notice. They suggest that
everyone who wants to trust them should install their current KSK as a
trust anchor because who knows what evil or incompetent thing ICANN and
Verisign will do in the future. A user wants to see if their resolver
operator has done so.
(I wish this was far-fetched. Since starting to work for ICANN, I have
been told **by people on this list** that this could happen for their
TLDs.)
If changes motivated by this desire for elegance weaken support for
the one use case we have, they seem like a bad idea. (Not saying they
do; I haven't thought about them that hard and in any case I am not an
implementor.)
Thinking hard about the above use case is very unpleasant, I admit. It
indicates that some TLD operators might make validation for their own
zones more fragile. And yet it is discussed more regularly than you
would hope.
--Paul Hoffman
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
