On Donderdag 13 November 2025 05:07:30 UTC Steve Crocker wrote: > ... > > [Levine] argue the USG could require the USG root operators, E, G and H, to > simply not respond to queries for .ru, .su, ."rho phi" or the USG could > force distribution of a modified root zone that would be unsigned or have > an invalid the signature. But I think everyone would quickly ignore the > unsigned or invalidly signed root zone and remove the E G and H roots from > their list of root servers.
i agree. > The above is, as you said, all at the technical level. Another reason for > implementing strong technical controls is it sends a clear message that > root zone integrity is taken seriously, and makes it less likely the USG > would try to subvert it. one of the things we showed in the Yeti DNS project a few years ago is that fetching a zone, stripping its keys and signatures, adding an equivalent local set of keys and signatures, and republishing the modified zone to a trusting community of rdns operators, allows for modifications. our only modification was to replace the apex NS RRset, which was the actual purpose of the Yeti DNS experiment. however, the dnssec implications of our prework were profound. i do not know why every nation and every large corporation doesn't do this, and make it a matter of local law or policy that the economy must trust the replacement key and use the replacement servers for priming. i'm glad they don't, but it would (technically speaking) work just fine. -- Paul Vixie
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
