How is DNSSEC
Ben Laurie
ben at links.org
Sat Mar 22 06:33:04 EDT 2008
James A. Donald wrote:
> From time to time I hear that DNSSEC is working fine, and on examining
> the matter I find it is "working fine" except that ....
>
> Seems to me that if DNSSEC is actually working fine, I should be able to
> provide an authoritative public key for any domain name I control, and
> should be able to obtain such keys for other domain names, and use such
> keys for any purpose, not just those purposes envisaged in the DNSSEC
> specification. Can I? It is not apparent to me that I can.
There are two major issues with DNSSEC right now. Neither of them is
that it isn't working.
Firstly, the root is not signed. This means there's no easy way for the
relying party to establish the correctness of the key on your domain.
Secondly, although we have DNS servers and resolvers, software that uses
DNS is largely unaware of DNSSEC and so has absolutely no idea what to
do when one of the many possible cryptographic/proof failures occurs.
Very little thought has gone into what should be done, even in software
that is aware.
That said, if you want to distribute keys with DNSSEC, then RFC 4398
standardises ways to do a number of them, and can be extended to cover
more. RFC 4255 gives you SSH host keys, too.
If you want to do something ad hoc, then there are always TXT records,
though I guarantee this will make the DNS people hate you forever.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list