How is DNSSEC
Florian Weimer
fw at deneb.enyo.de
Sat Mar 22 04:48:03 EDT 2008
* James A. Donald:
> From time to time I hear that DNSSEC is working fine, and on examining
> the matter I find it is "working fine" except that ....
>
> Seems to me that if DNSSEC is actually working fine, I should be able
> to provide an authoritative public key for any domain name I control,
> and should be able to obtain such keys for other domain names, and use
> such keys for any purpose, not just those purposes envisaged in the
> DNSSEC specification. Can I? It is not apparent to me that I can.
DNS is hierarchical. Nobody wants the DoD (who are traditionally quite
good at keeping secret data) or any other institution to keep keys at
important positions in the hierarchy. And nobody wants to be the keep
irreplaceable keys, either, which makes introduction at levels below the
DNS root difficult.
This is not a problem with the browser PKI because it's possible to
replace root certificates with a software update (which can be automated
in many cases).
And as Bill pointed out, it's not possible to use the DNS keys directly.
However, you can bootstrap another key based on data from DNS. This
even works without DNSSEC. DKIM does that, for instance.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list