To:
iesg@ietf.org
Cc:
dnsop@cafax.se
From:
"D. J. Bernstein" <djb@cr.yp.to>
Date:
12 Mar 2000 20:35:50 -0000
Sender:
owner-dnsop@cafax.se
Subject:
Re: Last Call: Root Name Server Operational Requirements to BCP
Scott Bradner writes:
> it only covers what the name says it covers
But that's simply not true. Look at what the document says:
* The abstract explicitly includes ``other major zone server
operators'' in the document's audience.
* Section 1.5 expresses ``great concern'' for the security of data
``in the root zone or TLDs.''
* Sections 2.3, 2.7, and 3.3.9 deal with load problems---which are
in the .com zone, not the root zone.
If the intent really is nothing more than to secure the root zone, then
I have several objections to the document:
(1) Securing the root zone, without securing any TLDs, is a stupid
goal. It does not protect any DNS users.
(2) The document deceives readers as to its intent. It needs to make
clear that, yes, it really is focused on this stupid goal, and it
was written with no consideration of TLDs or any other zones.
(3) The root zone can be securely and efficiently distributed through
USENET (backed up by HTTP) as a PGP-signed file, say once a week,
and installed locally by ISPs. This procedure achieves the goal,
unlike the procedure in the document---DNSSEC doesn't work. This
procedure also has much lower cost than the procedure in the
document: far fewer computers and networks need to be secured.
However, despite Bush's statement, I find it difficult to believe that
this was actually the intent of the document. I'd like to hear comments
on this topic from the other authors.
---Dan