On Mon, Sep 22, 2008 at 10:52:42AM -0400, Jason Frisvold wrote:
> On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <[EMAIL PROTECTED]> wrote:
> > nice to see a wholesale DNSSEC rollout underway (I must confess to being a
> > little surprised at the source, too!). Granted, it's a much more manageable
> > problem set than, say, .com - but if one US-controlled TLD can do it, hope
> > is buoyed for a .com rollout sooner rather than later (although probably not
> > much sooner :)).
>
> I'm not much up on DNSSEC, but don't you need to be using a resolver
> that recognizes DNSSEC in order for this to be useful?
>
> > /sf
>
>
> --
> Jason 'XenoPhage' Frisvold
> [EMAIL PROTECTED]
> http://blog.godshell.com
yes and no. to fully trust the data from the servers you need
three things:
) signed data (this is what .gov is doing)
) a validator in the end system (this is mostly missing/not configured
today)
) accurate trust anchors from a couple of places in the DNS namespace ##
however,
if all you start with is signed data - it becomes possible to verify the
source of the data - independently of inline DNS validation. e.g. you
can - with a high degree of certainty, be assured that the root zone
you
load is really the ORSN root and not that flaky root from
DoC/ICANN/VSGN... :)
so "naked" signed data, in the absence of TA's or validators is still
useful.
## you'll need a couple of these - and how you get them and keep them up to
date is
still a mostly unsolved operational problem.
--bill
