[dnssec-deployment] A gazillion new TLDs

Steve Crocker steve at shinkuro.com
Fri Jun 27 08:54:29 EDT 2008 

Folks,

This is silly.  The large TLDs -- COM, NET, DE -- are thousands of  
times as large as the root will ever be.  It is trivial to manage  
secure entry points for all of the TLDs that will be signed.  Our  
real problem is dealing with large numbers of signed zones below COM,  
NET and DE.  The only DNSSEC issue related to the introduction of new  
TLDs is whether each new TLD chooses to implement DNSSEC.  At  
present, there is no requirement for it to do so.  If it does, the  
IANA will include its DS record in its ad hoc registry until the root  
is signed.

Steve


On Jun 27, 2008, at 2:38 PM, Edward Lewis wrote:

> At 8:18 -0400 6/27/08, George M Jones wrote:
>
>> That's the technical end of it.   A shell script can handle that.
>
> <sarcasm> ;) Yeah, shell scripts really scale well.
>
>> I was wondering about the complexity of dealing with larger #s of
>> organizations with differing technical ability, different  
>> motivations,
>> different processes, more chances for things to go wrong, more  
>> keys to manage, >etc....
>
> I think there are technical challenges, but nothing novel.
>
> If the assumption is that there will be a million names in the root  
> zone, does ICANN today operate a registry on the scale of today's  
> million-name TLD operators?  I.e., does ICANN do EPP, WhoIs, etc.?  
> Does ICANN have an established relationship with it's DNS  
> operators? These are the questions ICANN asked of the bidders for  
> TLDs in the past.  If the growth is explosive, will ICANN rush to  
> out source the function?
>
> Maybe the root won't become than mammoth.  Maybe the demand for a  
> TLD isn't the same as the demand to have one's names in many TLDs.   
> I don't know what gating function will be able to keep the root  
> zone both tractable and stable yet be fair in determining who gets  
> a delegation.  If the gating is purely money, then I have a hunch  
> there will be all sorts of bureaucratic problems.  If the price is  
> well above cost and ICANN develops deep pockets it becomes a target  
> and all that money is money not invested in the industry they  
> regulate.
>
>> maybe its a non-issue (I hope) or off topic, but I was wondering if
>> anyone sees scaling issues that might impact security/deployability.
>
> It will depend on who the root grows.  Scaling issues are not  
> linear, there are thresholds where systems become more complex.   
> Thresholds aren't just fixed numbers, they are bands and often  
> times one crosses through one without knowing and then faces the  
> problems.
>
> Besides - change is always a problem for security.  Any change.
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- 
> =-=-=-=-
> Edward Lewis                                                 
> +1-571-434-5468
> NeuStar
>
> Never confuse activity with progress.  Activity pays more.
>
> #############################################################
> This message is sent to you because you are subscribed to
>  the mailing list <dnssec-deployment at shinkuro.com>.
> To unsubscribe, E-mail to: <dnssec-deployment-off at shinkuro.com>
> A public archive is available here: <http://mail.shinkuro.com:8100/ 
> Lists/dnssec-deployment/>
> and older material is at
> <http://mail.shinkuro.com:8100/Lists/dnssec-deployment-archive/>

More information about the Dnssec-deployment mailing list