Maybe I misunderstood draft-zhang-ct-dnssec-trans-00 but I do not see
how it would help. Consider the following case:
(Forced by secret US law) The IANA secretly hands over the current
private key of the DNSSEC trust anchor to a US government agency which
uses the private key to sign forged zones and feeds them to DNS
resolvers. That way US government agencies would be able to manipulate
any DNS record including OpenPGP while users would be lulled in a false
sense of security.
In case I didn't miss any super-security feature users should be aware
of that fact.
Am 2014-07-28 15:52, schrieb Paul Wouters:
3. Security considerations: The IANA has control over the DNSSEC root
keys. As the IANA is bound to US law, US government agencies probably
have access to the DNSSEC root keys and are capable to manipulate the
OpenPGP keys signed with DNSSEC.
There is currently a first attempt at specifying transparancy for
DNSSEC for those who want to audit/track the DNSSEC root or parent
domain holders:
http://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00
Paul
--
Best regards,
Renne
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
