DNSSEC to be strangled at birth.
Paul Hoffman
paul.hoffman at vpnc.org
Thu Apr 5 10:32:09 EDT 2007
<anti-rant>
At 5:51 PM +0100 4/4/07, Dave Korn wrote:
> Can anyone seriously imagine countries like Iran or China signing up to a
>system that places complete control, surveillance and falsification
>capabilities in the hands of the US' military intelligence?
No.
But how does having the root signing key allow those?
Control: The root signing key only controls the contents of the root,
not any level below the root.
Surveillance: Signing keys don't permit any surveillance.
Falsification: This is possible but completely trivially detected (it
is obvious if the zone for furble.net is signed by . instead of
.net). Doing any falsification will cause the entire net to start
ignoring the signature of the root and going to direct trust of the
signed TLDs.
> Surely if this goes ahead, it will mean that DNSSEC is doomed to widespread
>non-acceptance.
More than it is now?
>And unless it's used everywhere, there's very little point
>having it at all.
Fully disagree. Many ISPs and individuals will be happy to do direct
trust of the significant zones (com/net/org plus maybe their local
ccTLD) and simply ignore signatures on the rest. This has already
been well-discussed in the ISP community even before this event: many
are not sure they trust ICANN itself, much less its current "sponsor".
Note that I'm not supporting the US signing the root in the least.
I'm just saying that predicting doom is grossly premature.
</anti-rant>
--Paul Hoffman, Director
--VPN Consortium
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list