[discuss] Having several trust anchors for DNSSEC (was Re: cgi.br release...)

Norbert Bollow nb at bollow.ch
Tue Jan 14 16:47:15 UTC 2014

Andrew Sullivan <ajs at anvilwalrusden.com> wrote:

> On Tue, Jan 14, 2014 at 12:17:09PM +0100, Norbert Bollow wrote:
> > Mueller proposed there --having several trust anchors for DNSSEC--
> > IMO still looks like a very good idea from today's perspective.
> I never understood how this was supposed to result in a managable root
> zone response size.  The DNSKEY RRset size would be enormous, wouldn't
> it?

I'm not sure about your definition of “enormous”... if the number of
trust anchors were increased to say ten, the DNSKEY RRset size
for the root zone will increase by about an order of magnitude (a bit
less since only the number of KSKs needs to be increased). So what? It
can be transmitted by TCP. There is only one root zone, so the overall
extra data transfer is small in comparison to the total data
transferred by the root servers. 

> > I propose to include this in the agenda for the São Paulo meeting.
> I think if the technical trade-off is shown to be realistic, it might
> be a useful topic for the agenda (in particular, working out the
> practical details).  If the technical issues are as serious as they've
> always appeared to me to be, however, then the proposal is just
> wishful thinking.
> I think it would be wise to take the conversation about technical
> details off-list and summarize later, because I'm not convinced most
> of the participants here are conversant with or interested in the
> technical details of the DNS.  If we want to discuss it in the
> presence of a lot of people who understand these issues (not a bad
> idea), I would suggest either the IETF dnsext list (which is the list
> that still exists from the now-shuttered DNS Extensions WG at the
> IETF: DNSSEC was developed there), or the IETF DNSOP list, or the OARC
> dns-operations list.  I can construct a pretty good argument for any
> one of these to be the correct venue, but I think we should pick one
> if we're going to have a list discussion.  These are all open lists,
> note, so if people want to see the discussion they can.

Fine with me; you're welcome to choose one of these to take the
technical aspects of this discussion to, and I'll come there.


More information about the discuss mailing list