Paul Vixie wrote: > because right now the people who do this have to pirate the address space > of root name servers, and they have to do it for all of our addresses. > under this proposal, there would be no piracy required, and there would > only be two address blocks per stack (two for v4, two for v6) to do it for.
Actually, I don't believe this is the case. Here's why: - the root servers are authoritative for "root-servers.net" - root-servers.net is unsigned - the root zone is signed - the glue for the root zone (like all other glue) is not signed (or even signable) So, alternate root zone hints files, and alternate versions of root zones, can be created and served, with only the NAMES of the root servers signed, protected, and unmutable. The addresses associated with those names ( [a-m].root-servers.net ) are replaceable in a way which is undetectable and unprotected by DNSSEC. Thus, there is no need to hijack BGP routes. There is not even a requirement that 13 unique addresses be used. The same single address could be served up for all 13 entries (as glue data). In that respect, arguably the proposal is kind of moot. (On the other hand, I think this demonstrates the weakness of not pushing for splitting the original "NS" into two different RR types (parent NS and child NS), and making the authority for each the respective owner, and having the owners signing them.) I'd prefer to live in a world where BGP hijacking WAS necessary, and where the root server addresses were signed, authoritatively served from within the root zone directly (with no delegations). E.g. change the names of the root servers to literally "a." through "m.", and being in the root zone itself, have signed A/AAAA records served (either in response to queries for their addresses, or as Additional data with signatures when DO is set). Any chance of that happening, in this century? Brian
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
