jad

In response to Patrik Faltstrom on DNSSEC implications Millton Mueller wrote “Not so gratifying is that Patrik’s response reveals that even technical experts in DNS can fail to understand the governance implications of the technologies they work with daily. This has been a longstanding problem in the Internet technical community.”

One could of course argue that it is not so gratifying that even governance experts can fail to understand the technical implications of the technologies they are talking about.

Patrik is absolutely right when he says “trust on the DNS has nothing to do with DNSSEC. It has to do with trust of the namespace, the hierarchy of names that start with the root. The real power because of this sits within the process that define what tokens (or names) should exist directly under the root.”

As Roy Arends, good friend of mine and one of the authors of RFC ’s 4033-35 likes to say “DNSSEC is just error detection”.

Milton goes on to talk about the limitations that DNSSEC puts on the ability of concerned parties to split the root. (For now we will ignore the fact that multiple roots are a very bad idea). As Patrik points out this misses the point. Without DNSSEC, if you want to use a alternate root you just configure different IP addresses for the root. With DNSSEC and signed roots, if you want to use an alternate root you just configure different IP addresses and a different trust anchor. It is easy! Milton goes on to ask Patrik “Have you considered the costs and compatibility issues of coordinating the management and rollover of private keys for multiple roots?” This is irrelevant, if you can manage and rollover the key for one root you can do it for several and no coordination is needed between the roots.