[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: opportunistic encryption deployment problems



Jakob writes:

>what makes DNSSEC weak just because the root is not signed? there is
>nothing that stops us from signing the in-addr.arpa zone before root and
>when this is done people can start trusting it immediately if they like >to.

Well... I'm not really on expert how secure DNS works, but
in order for the in-addr.arpa zone to be signed, doesn't
some big entity somewhere have to actually get down to
doing this? I.e., we as a group of OE interested people
can't do it by ourselves. Some big, slow, entity has to
get on board as well. Rather like someone founding the
global root CA. You're propably right in saying that
the root doesn't have to be signed, but something central
does have to happen before beyond you putting your own
key to your own DNS. Right?

Jari


Follow-Ups: References: