In message <52d5db58.3040...@dougbarton.us>, Doug Barton writes: > On 01/14/2014 04:43 PM, Doug Barton wrote: > > Other than the DS records (if any) the records associated with a given > > TLD (specifically the NS records) in the root are not signed. > > ... obviously the glue records are not signed either of course. My point > was that it's the delegation that some paranoid countries don't want > removed, and DNSSEC isn't going to help that. > > Doug
And anyone can take the existing root zone, add a delegation and sign the result with any key of they control. If a government was to remove a ccTLD I would suspect that there would be hundreds of people offering such zones. Additionally you can just graft on a tld and associated trust anchor with existing validators if you don't want to regenerate the root or if you don't want to trust some random person to sign the root zone for you you can do it that way. Removal of a ccTLD would cause short term disruption but the net as a whole would route around the breakage. We have seen plenty of examples of this in the past. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
