[dnssec-deployment] Nominet position paper about Signing the Root.
paul at xelerance.com
Mon Dec 3 20:31:41 EST 2007
On Mon, 3 Dec 2007, Crocker Steve wrote:
> With due respect, the response you're giving Michael is simply a refusal to
> consider multiple KSKs for the official, unified, single root zone. Is that
> what you mean to be saying?
No. I am saying if I don't trust organisation X's signature, and I want to
trust organisation Y's signature, I will want a zone signed by just Y.
It's a hard sell to explain that since you trust Y's signatures, then X's
refusal to sign something would not matter.
On top of that, as I said, if organisation X and Y disagree on the contents
of the zone, they'll end up signing a different zone anyway, because they
cannot co-exist in the same zone if they both sign for a single zone key.
At least, I hope we're not going to use OPT-IN with two Zone Signing Keys.
If they do agree, and in the foreseable future agree as well, they might
as well assign one entity to sign the zone to begin with.
> Yes, some people want alternate roots.
Like software forks, they are cheap. If politicians decide to make life
complicated by demanding differnt root zone data, then there is nothing we
can do to avoid countries running and enforcing their own root zone.
> And, yes, some people want just one party to sign the root.
>>From the ccNSO survey, the large majority of the ccTLD's, which are the
large majority of entries in the root zone, want IANA/ICANN to sign the
zone. They don't see a difference between the signed and unsigned root
> But Michael is suggesting some people want a single
> root but want multiple parties to authenticate the ZSK.
It's possible, but I don't this such a technical hack will convince any
politician. We are talking about people who are still arguing who is
responsible for a hyperlink.
I also don't see much use in seperation between IANA/ICANN and Verisign,
to split up the KSK and ZSK. Either there is no issue, and the keys
might as well be stored at the most secure location. Or one of the two
parties becomes "rogue". If Verisign turns rogue, they have 30 days
(the keylife of the ZSK) to do as they want, while IANA can't even get
their DNSKEY revocation published. Or Verisign can just load a new KSK
on A. If IANA goes rogue, Verisign can just ignore that for 30 days too,
while publications will be made for the new KSK of the root.
And as much as I'm skeptical about Verisign, I don't see Verisign, IANA,
ICANN and the USG fighting their root zone control fight using DNSKEY's.
More information about the Dnssec-deployment