hat tip to .gov hostmasters

marcus.sachs at verizon.com marcus.sachs at verizon.com
Mon Sep 22 10:16:20 CDT 2008

DNSSEC is not a PKI.  There are no CAs and no X.509 certificates.  It's a chain of trust that can be validated using public/private key pairs.  OK, that's oversimplification but you get the idea.

While we wait for applications to become DNSSEC-aware, if your local DNS server can be trusted (a big "if" of course) then it can proxy the DNSSEC awareness for you.  Since nearly everybody trusts a local DNS server to resolve queries, then making that server DNSSEC aware is an enormous step forward, even if the actual applications and operating systems on end-user computers are not fully DNSSEC-aware and won't be for many years to come.


-----Original Message-----
From: Florian Weimer [mailto:fweimer at bfk.de] 
Sent: Monday, September 22, 2008 11:10 AM
To: Colin Alston
Cc: nanog at nanog.org
Subject: Re: hat tip to .gov hostmasters

* Colin Alston:

>> Correct, you need a validating, security-aware stub resolver, or the
>> ISP needs to validate the records for you.

> In public space like .com, don't you need some kind of central
> trustworthy CA?

No, why would you?  You need to trust the zone operator, and you need
some trustworthy channel to exchange trust anchors at one point in
time (a significant improvement compared to classic DNS, where you
need a trustworthy channel all the time).

Florian Weimer                <fweimer at bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the NANOG mailing list