America takes over DNS
David Conrad
drc at virtualized.org
Mon Apr 2 14:45:08 UTC 2007
Hi,
> Wouldn't the holder of these keys be the only ones able to spoof
> DNSSEC?
Yes. This is an assumption of DNSSEC, regardless of who signs the
root. The implication of this (and the fact that emergency key
rollover requires everyone on the planet with a validating resolver
to update the root trust key manually) is that protecting the root
key signing key is a bit important.
Rgds,
-drc
More information about the NANOG
mailing list