[dnssec-deployment] Nominet position paper about Signing the Root.

Phil Regnauld regnauld+dnssec at catpipe.net
Tue Dec 4 03:34:03 EST 2007


Michael StJohns (mstjohns) writes:
> If you want multiple entities to be responsible for the signatures on the root zone - use the appropriate technology.  Threshold signatures will work without any changes to any of the end system and will make the root signatures dependent on more than just the root zone owner without any of the problems you would encounter with multiple signatures.

	So what's the threshold here ?

	I think the most likely scenario that needs to be addressed is that
	failure (for technical or operational reasons) for one party (IANA)
	to sign the root should not stop operation of the root.  But if IANA
	refuses to sign the zone, but Verisign accepts, is that good enough ?
	etc...  Can we have a threshold to be a combination of "if not this sig,
	then at least these other two" ?  We're quickly moving away from 
	technical incapability into the realm of policy issues and associated
	conflicts.



More information about the Dnssec-deployment mailing list