This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/

[dns-wg] Re: root zone signing

Previous message (by thread): [dns-wg] Re: root zone signing
Next message (by thread): [dns-wg] Re: root zone signing

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jim Reid jim at rfc1035.com
Mon Oct 20 19:09:04 CEST 2008

On Oct 20, 2008, at 17:55, Dmitry Burkov wrote:

> for me the issue - as I wrote in previous email to Joao - it is how  
> it can be used in software in future.

I'm not sure I understand the question Dima. DNSSEC is an enabling  
technology because it gives new opportunities (and challenges) to  
developers. If data from the DNS can be verified, that opens up all  
sorts of possibilities.

One technical question that could be asked here is "what happens when  
idiot developers embed the root key in an embedded system (say) and  
then the root key changes?". Is that what you're asking about?

> Depending on this - it can be critical.
>
> Second point - how it will be used for .arpa

See above. We already have some (limited) experience here with the  
NCC's efforts to sign parts of the reverse tree.

> Third point (not related to DNS - sorry - but simular problem) -  
> sidr and it's deployment.

I think it's unwise to link these. Though I suppose a signed part of  
the DNS name space would make it a whole lot easier to lookup and  
verify (secure) routing announcements.

Previous message (by thread): [dns-wg] Re: root zone signing
Next message (by thread): [dns-wg] Re: root zone signing

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[ dns-wg Archives ]