Maintained by: NLnet Labs

[Unbound-users] How to use Alternative Other Root DNS server with DNSSEC validation

Leen Besselink
Fri Aug 24 14:13:02 CEST 2012


> What you are trying to accomplish is wrong. Scattering roots and losing
> the global agreement on an address is just bad. I recommend you read:
>
> http://nohats.ca/wordpress/blog/2012/04/09/you-cant-p2p-the-dns-and-have-it-too/

I totally agree about not wanting to break the current global namespace.

I currently don't have a reason I'd want to change anything. Althought ICANN sometimes make strange decisions when looking at it from a far. Maybe make it harder
for the root to change something others might not like. There is obviously a whole process in place to handle root changes. So I don't expect anyone to do changes
at the root easily.

So I commented on the blog (still needs to be approved):
__

I think this problem of trust is about 1 root has control over all TLD's. I think no1 really cares what happends within the TLD.

We have many of those, so you have the power to choose your TLD. If you don't like .ca because they haven't DNSSEC-signed theirs yet, you can go somewhere else.

Ultimately one root can point a TLD at any set of nameservers. Yes, people would notice and it could break stuff and it would be a bad thing and all that.

So all we really need is some way of keeping the root in check, some safety net.

I really like the words: "trust agility", I have no idea what it really means in practise, but it sounds cool. :-) And it might apply here.

Why not create 5 roots that all serve the same data, the same data the original root serves. Just like a lot of the alternative roots we had in the past.

But with a twist, why not check all of them if they have the same data and the majority wins.

Now you configure your recursor to point to all 5, maybe even have something at the TLD which says which 3 or 5 the TLD trusts.

That is the only solution I see.
__

Not that I expect anyone to implement it. And maybe I should add what that the way for a TLD to show it's trust would be. Each root would need to do their
own DNSSEC-signing and the TLD would just have a DS-like record per root.