This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] Re: root zone signing
- Previous message (by thread): [dns-wg] Re: root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Dmitry Burkov
dburk at burkov.aha.ru
Mon Oct 20 19:25:58 CEST 2008
Jim Reid wrote: > On Oct 20, 2008, at 17:55, Dmitry Burkov wrote: > >> for me the issue - as I wrote in previous email to Joao - it is how >> it can be used in software in future. > > I'm not sure I understand the question Dima. DNSSEC is an enabling > technology because it gives new opportunities (and challenges) to > developers. If data from the DNS can be verified, that opens up all > sorts of possibilities. > > One technical question that could be asked here is "what happens when > idiot developers embed the root key in an embedded system (say) and > then the root key changes?". Is that what you're asking about? Jim, I hope that you remember laws of Murphy and Peter... or if it can happen it will happen and so on... > >> Depending on this - it can be critical. >> >> Second point - how it will be used for .arpa > > See above. We already have some (limited) experience here with the > NCC's efforts to sign parts of the reverse tree. the same problem will increase > >> Third point (not related to DNS - sorry - but simular problem) - sidr >> and it's deployment. > > I think it's unwise to link these. Though I suppose a signed part of > the DNS name space would make it a whole lot easier to lookup and > verify (secure) routing announcements. But sidr deployed will raise more issue as potential "red button". I want to return to your previous example with .ru. I don't think that it could really happen with .ru - but I can easily can imagine this situation with some other country. But when some probability exists I personally worry - as we can create potentially dangerous tool with the best intentions. When in our world services for citizens more and more depends on Internet - I really worry about principal changes in Internet architecture. If before we defacto have a system which was depended on more techies - person and professional-based responsibility - in future we can get more automated system which will lose this previous basement and can become a weapon in hands of politicals. Dima
- Previous message (by thread): [dns-wg] Re: root zone signing
- Next message (by thread): [dns-wg] Re: root zone signing
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]