On Tue, Oct 27, 2009 at 5:14 AM, Milton L Mueller <[log in to unmask]> wrote:
>>
>> The root must be signed.
>
> I am moving to the conclusion that the root should not be signed.

It's not a MUST/MUST NOT/SHOULD/SHOULD NOT issue.

The root WILL be signed, the plan seems to be ready.

http://www.ripe.net/ripe/meetings/ripe-59/presentations/uploads/presentations/Tuesday/Plenary%2014:00/Abley-DNSSEC_for_the_Root_Zone.mId7.pdf

MM
The crypto-politics involved are increasingly complex and scary, and
the root is already too much of a political football. DNSSEC just
makes the whole DNS that much more rigid, complex and contentious.

It certainly makes DNS admin more complex.

>
> Anyway, in terms of priorities, DNSSEC comes at the end of the list in my book; it imposes the greatest burden on the root, it poses the greatest risks for a fairly small amount of added security.

I agree it is a small measure of security, at not insignificant cost.
We have known about these threats to the DNS for two decades. DNSSEC
has been developed over ~15 of these years.  The people who have
invested time and energy in development and deployment are a
considerable force within ICANN.  I don't think anyone can stop
rootsigning at this point.

>
> Most of the enormous security problems we have on the Internet today will not be improved by DNSSEC implementation at the root. And many of the advantages of DNSSEC can be gained at the TLD level without signing the root.

The first part of the sentence is correct, the second not so much.

While some TLDs are signed, DNSSEC was meant to be signed at the root,
so the chain of delegations flows thru the DNS hierarchy.  Signing
TLDs makes it a much more brittle and expensive process, perhaps
outweighing the security advantages in the long term.


-- 
Cheers,

McTim
"A name indicates what we seek. An address indicates where it is. A
route indicates how we get there."  Jon Postel