[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: opportunistic encryption deployment problems



Well, yes and no.  You can go sign your own zone today.  If a client
is expecting you to be a secure zone, they can notice if you're not.
So, no, the root does not need to be secured.  However, you don't want
to require clients to know the keys to all zones, so that's why you
have a hierarchy; a client only needs to the know the key to the root
of the hierarchy.

But no, you can start signing zones today.  Go look at tislabs.com --
they're signed :)

-derek

Jari Arkko <Jari.Arkko@lmf.ericsson.se> writes:

> Jakob writes:
> 
> >what makes DNSSEC weak just because the root is not signed? there is
> >nothing that stops us from signing the in-addr.arpa zone before root and
> >when this is done people can start trusting it immediately if they like >to.
> 
> Well... I'm not really on expert how secure DNS works, but
> in order for the in-addr.arpa zone to be signed, doesn't
> some big entity somewhere have to actually get down to
> doing this? I.e., we as a group of OE interested people
> can't do it by ourselves. Some big, slow, entity has to
> get on board as well. Rather like someone founding the
> global root CA. You're propably right in saying that
> the root doesn't have to be signed, but something central
> does have to happen before beyond you putting your own
> key to your own DNS. Right?
> 
> Jari

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available


References: