On Wed, Jan 03, 2018 at 11:54:42PM +0000, Nick Hilliard <nick@xxxxxxxxxx> wrote a message of 34 lines which said: > The technical work on this was done in two tranches: the first works in > the 1990s were a result of the AlterNIC saga, when BIND 4.9 was hardened > against dns pollution from alternative servers. Until then, DNS > poisoning from misconfigured and malconfigured DNS server had been an > ongoing problem, but this formed a new baseline standard for handling > cache pollution. I don't see the relationship with the structure of the domain name tree, or with the role of the root. > The second major improvement was dnssec, which requires a single > root per resolver. If Russia or anyone else sets up an alternative > root, then dnssec-enabled resolution will fail for dnssec domains on > other roots. No, they would simply put the new key in their resolver. This is how all the DNSSEC-signed alternative roots work, like Yeti <draft-song-yeti-testbed-experience>. > Incidentally, alternative DNS roots are nothing new. ICANN even has an > info page on them: > > https://icannwiki.org/Alternative_Roots icannwiki.org is NOT managed by ICANN.