hat tip to .gov hostmasters

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Sep 22 10:19:46 CDT 2008


On Mon, Sep 22, 2008 at 10:52:42AM -0400, Jason Frisvold wrote:
> On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <darkuncle at gmail.com> wrote:
> > nice to see a wholesale DNSSEC rollout underway (I must confess to being a
> > little surprised at the source, too!). Granted, it's a much more manageable
> > problem set than, say, .com - but if one US-controlled TLD can do it, hope
> > is buoyed for a .com rollout sooner rather than later (although probably not
> > much sooner :)).
> 
> I'm not much up on DNSSEC, but don't you need to be using a resolver
> that recognizes DNSSEC in order for this to be useful?
> 
> > /sf
> 
> 
> -- 
> Jason 'XenoPhage' Frisvold
> XenoPhage0 at gmail.com
> http://blog.godshell.com


	yes and no.  to fully trust the data from the servers you need
	three things:

	) signed data (this is what .gov is doing)
	) a validator in the end system (this is mostly missing/not configured today)
	) accurate trust anchors from a couple of places in the DNS namespace ##

	however,
	
	if all you start with is signed data - it becomes possible to verify the
	source of the data - independently of inline DNS validation.  e.g. you 
	can - with a high degree of certainty, be assured that the root zone you 
	load is really the ORSN root and not that flaky root from DoC/ICANN/VSGN... :)

	so "naked" signed data, in the absence of TA's or validators is still
	useful.


## you'll need a couple of these - and how you get them and keep them up to date is
   still a mostly unsolved operational problem.

--bill




More information about the NANOG mailing list