America takes over DNS
bmanning at karoshi.com
bmanning at karoshi.com
Mon Apr 2 18:18:45 UTC 2007
On Mon, Apr 02, 2007 at 07:45:08AM -0700, David Conrad wrote:
>
> Hi,
>
> >Wouldn't the holder of these keys be the only ones able to spoof
> >DNSSEC?
>
> Yes. This is an assumption of DNSSEC, regardless of who signs the
> root. The implication of this (and the fact that emergency key
> rollover requires everyone on the planet with a validating resolver
> to update the root trust key manually) is that protecting the root
> key signing key is a bit important.
>
> Rgds,
> -drc
one important attribute of key roll would seem to be
the lack of a "flag-day". ... there are at least a
couple of proposals that mitigate that particular risk.
--bill
More information about the NANOG
mailing list