[dnssec-deployment] Nominet position paper about Signing the Root.
steve at shinkuro.com
Tue Dec 4 10:52:41 EST 2007
On Dec 4, 2007, at 2:34 AM, Phil Regnauld wrote:
> Michael StJohns (mstjohns) writes:
>> If you want multiple entities to be responsible for the signatures
>> on the root zone - use the appropriate technology. Threshold
>> signatures will work without any changes to any of the end system
>> and will make the root signatures dependent on more than just the
>> root zone owner without any of the problems you would encounter
>> with multiple signatures.
> So what's the threshold here ?
> I think the most likely scenario that needs to be addressed is that
> failure (for technical or operational reasons) for one party (IANA)
> to sign the root should not stop operation of the root. But if IANA
> refuses to sign the zone, but Verisign accepts, is that good enough ?
> etc... Can we have a threshold to be a combination of "if not
> this sig,
> then at least these other two" ? We're quickly moving away from
> technical incapability into the realm of policy issues and associated
Signing a zone is part of managing the zone. The zone manager is
responsible for maintaining the contents accurately, preparing and
signing the zone contents, and providing lookup service to the zone.
If it fails to do any part of these, it's not doing its job. If it
fails repeatedly and/or deliberately, that's malfeasance.
The sentence that begins, "But if IANA refuses to sign the zone..."
implies this is somehow an acceptable state of affairs that needs to
be dealt with. It's not. If IANA -- or any zone manager -- stops
signing its zone, that's a qualitative change in the management of
the zone. In the case of the root zone, that would be highly visible
and would trigger immediate involvement from nearly everyone. In the
case of any other zone, it would be visible and accountable to same
people who care about the contents of the zone. There's really no
need to build distinct protection against different forms of zone
More information about the Dnssec-deployment