[dns-wg] Re: root zone signing
- Previous message (by thread): [dns-wg] Re: root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dmitry Burkov
dburk at burkov.aha.ru
Mon Oct 20 19:25:58 CEST 2008
Jim Reid wrote: > On Oct 20, 2008, at 17:55, Dmitry Burkov wrote: > >> for me the issue - as I wrote in previous email to Joao - it is how >> it can be used in software in future. > > I'm not sure I understand the question Dima. DNSSEC is an enabling > technology because it gives new opportunities (and challenges) to > developers. If data from the DNS can be verified, that opens up all > sorts of possibilities. > > One technical question that could be asked here is "what happens when > idiot developers embed the root key in an embedded system (say) and > then the root key changes?". Is that what you're asking about? Jim, I hope that you remember laws of Murphy and Peter... or if it can happen it will happen and so on... > >> Depending on this - it can be critical. >> >> Second point - how it will be used for .arpa > > See above. We already have some (limited) experience here with the > NCC's efforts to sign parts of the reverse tree. the same problem will increase > >> Third point (not related to DNS - sorry - but simular problem) - sidr >> and it's deployment. > > I think it's unwise to link these. Though I suppose a signed part of > the DNS name space would make it a whole lot easier to lookup and > verify (secure) routing announcements. But sidr deployed will raise more issue as potential "red button". I want to return to your previous example with .ru. I don't think that it could really happen with .ru - but I can easily can imagine this situation with some other country. But when some probability exists I personally worry - as we can create potentially dangerous tool with the best intentions. When in our world services for citizens more and more depends on Internet - I really worry about principal changes in Internet architecture. If before we defacto have a system which was depended on more techies - person and professional-based responsibility - in future we can get more automated system which will lose this previous basement and can become a weapon in hands of politicals. Dima
- Previous message (by thread): [dns-wg] Re: root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]