To:
iesg@ietf.org
Cc:
dnsop@cafax.se
From:
"D. J. Bernstein" <djb@cr.yp.to>
Date:
12 Mar 2000 20:35:50 -0000
Sender:
owner-dnsop@cafax.se
Subject:
Re: Last Call: Root Name Server Operational Requirements to BCP
Scott Bradner writes: > it only covers what the name says it covers But that's simply not true. Look at what the document says: * The abstract explicitly includes ``other major zone server operators'' in the document's audience. * Section 1.5 expresses ``great concern'' for the security of data ``in the root zone or TLDs.'' * Sections 2.3, 2.7, and 3.3.9 deal with load problems---which are in the .com zone, not the root zone. If the intent really is nothing more than to secure the root zone, then I have several objections to the document: (1) Securing the root zone, without securing any TLDs, is a stupid goal. It does not protect any DNS users. (2) The document deceives readers as to its intent. It needs to make clear that, yes, it really is focused on this stupid goal, and it was written with no consideration of TLDs or any other zones. (3) The root zone can be securely and efficiently distributed through USENET (backed up by HTTP) as a PGP-signed file, say once a week, and installed locally by ISPs. This procedure achieves the goal, unlike the procedure in the document---DNSSEC doesn't work. This procedure also has much lower cost than the procedure in the document: far fewer computers and networks need to be secured. However, despite Bush's statement, I find it difficult to believe that this was actually the intent of the document. I'd like to hear comments on this topic from the other authors. ---Dan