John, I think it would be interesting to explore this a bit more. In particular, let's suppose the USG wished to remove Russia from the root zone.
If the change to each TLD's portion of the root zone required the active participation of the TLD operator, and if the entire root zone were signed, it would then be impossible for the USG to force a change to the (signed) root. You argue the USG could require the USG root operators, E, G and H, to simply not respond to queries for .ru, .su, ."rho phi" or the USG could force distribution of a modified root zone that would be unsigned or have an invalid the signature. But I think everyone would quickly ignore the unsigned or invalidly signed root zone and remove the E G and H roots from their list of root servers. Perhaps there would be other things the USG could try. If you can think of them, please speak up. The above is, as you said, all at the technical level. Another reason for implementing strong technical controls is it sends a clear message that root zone integrity is taken seriously, and makes it less likely the USG would try to subvert it. Thanks, Steve On Wed, Nov 12, 2025 at 6:03 PM John Levine <[email protected]> wrote: > It appears that Steve Crocker <[email protected]> said: > >> Didn't it already do everything? It is now up to the OSes to use the > >> protocols we defined? > > > >As more and more resolvers switch to using local copies of the root zone, > >there may be a need to strengthen the process of providing those copies to > >a very large set of resolvers. That's the part that is not yet scoped and > >may need design and implementation. > > Agreed, it's a scaling issue. > > >The primary purpose of such a design is to prevent improper forceful > >removal of legitimate entries from the root zone. This is stronger than > >detecting the problem after the fact. > > I don't think the history of technical approaches to political issues is > very > promising. At least three of the root servers are run by parts of the US > government, so if they get a political command to, say, remove .VE from the > root, they're going to do it. If it breaks part of DNSSEC, and different > roots > give different results, too bad. > > R's, > John > > PS: I hope we all are familiar with https://xkcd.com/538/ > -- Sent by a Verified sender
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
