How is DNSSEC

Ben Laurie ben at links.org
Wed Mar 26 14:01:50 EDT 2008


Dave Howe wrote:
> James A. Donald wrote:
>>  From time to time I hear that DNSSEC is working fine, and on 
>> examining the matter I find it is "working fine" except that ....
> 
> DNSSEC is "working fine" as a technology. However, it is worth 
> remembering that it works based on digitally signing an entire zone - 
> the state of the world being what it is, most people prohibit xfer so 
> any other technology that would allow a zonewalk is not going to be 
> deployed.
> 
> as far as I can tell, this is a basic design flaw, so isn't going to be 
> rectified anytime soon.

RFC 5155 rectifies this design flaw.

-- 
http://www.apache-ssl.org/ben.html           http://www.links.org/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list