[DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
Andrew Sullivan <ajs@anvilwalrusden.com> Tue, 14 January 2014 17:22 UTC
Return-Path: <ajs@anvilwalrusden.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C79B1AE113 for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 09:22:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.141
X-Spam-Level:
X-Spam-Status: No, score=-0.141 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_INFO=1.448, HOST_MISMATCH_NET=0.311] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nC2-zVZkSXX for <dnsop@ietfa.amsl.com>; Tue, 14 Jan 2014 09:22:54 -0800 (PST)
Received: from mx1.yitter.info (ow5p.x.rootbsd.net [208.79.81.114]) by ietfa.amsl.com (Postfix) with ESMTP id 0551A1AE0DC for <dnsop@ietf.org>; Tue, 14 Jan 2014 09:22:53 -0800 (PST)
Received: from mx1.yitter.info (nat-02-mht.dyndns.com [216.146.45.241]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.yitter.info (Postfix) with ESMTPSA id 5DD9F8A031 for <dnsop@ietf.org>; Tue, 14 Jan 2014 17:22:42 +0000 (UTC)
Date: Tue, 14 Jan 2014 12:22:40 -0500
From: Andrew Sullivan <ajs@anvilwalrusden.com>
To: dnsop@ietf.org
Message-ID: <20140114172240.GO17198@mx1.yitter.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: [DNSOP] More keys in the DNSKEY RRset at ., and draft-ietf-dnsop-respsize-nn
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2014 17:22:55 -0000
Dear colleagues, For my sins, I have been following some of the recent discussions about "Internet governance". One of the discussions over on the "1net" list (http://1net-mail.1net.org/mailman/listinfo/discuss) is about the control by one particular government of the DNS root zone, and how uncomfortable that makes some other governments. The consequence has been renewed discussion on a somewhat older proposal for splitting up the management of the root zone keys. The proposal can be found at http://www.internetgovernance.org/wordpress/wp-content/uploads/SecuringTheRoot.pdf. The proposal has the appealing property that nobody can "hijack" the root, and if you don't trust any particular actor then the approach ensures that it is at least technically difficult (or detectable) that someone has acted alone. But it has always seemed to me that the approach would result in a very great increase in the size of the root key RRset as well as the RRSIGs necessary at least over the DNSKEY RRset. One response to this (http://1net-mail.1net.org/pipermail/discuss/2014-January/001057.html) is, "So what? It's the root. It'll be widely cached, and TCP is a small price to pay for this on the occasions it's needed." I am not sure I am so sanguine, but this put in my mind the draft-ietf-dnsop-respsize draft, which I now realise was never published as an RFC. I'd like this thread to discuss the "so what, use TCP!" remark. I'd also like to ask either the chairs or the WG whether draft-ietf-dnsop-respsize-14 needs revision and, if so, what revision to be publishable, because I think it's needed advice. Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com
- [DNSOP] More keys in the DNSKEY RRset at ., and d… Andrew Sullivan
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Joe Abley
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Andrew Sullivan
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… George Michaelson
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Joe Abley
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Paul Hoffman
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Doug Barton
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Doug Barton
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… George Michaelson
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Mark Andrews
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Tony Finch
- Re: [DNSOP] More keys in the DNSKEY RRset at ., a… Tony Finch