[dnssec-deployment] Discussion document for 14 July 2004 meeting
edlewis at arin.net
Wed Jul 28 11:49:29 EDT 2004
I've been away for a while, and there's been mail already in reply to
the original document, so I'd first say that I look forward to an
updated version before making substantial comments.
But there are two comments I want to make against the original.
Referring to figure 1, that trusted anchors do not flow from servers.
Name servers are not trusted points - that's why the data they hold
and transmit is signed. The source of the trust anchors will have to
come from an entity not represented in figure 1 - authority key
managers (the off-line place where keys are generated) or zone
The other comment is against the description of the CC.TRUST_ANCHOR.
Trust anchors aren't the "starting point" for the authentication
chain, but rather the end. Verification begins with the data in hand
and it's signature. The signature record holds the name of the
signer - the next link in the chain. When the signer (key) is known
as a trust anchor, you end the process.
That sounds minor, but it's the number one stumbling point for folks
entering DNSSEC. Validation is supposed to go from the data you want
up to a point you trust, not start at a point you trust trying to
find a way to trust the data you get. The protocol points upward.
Edward Lewis +1-703-227-9854
ARIN Research Engineer
"I can't go to Miami. I'm expecting calls from telemarketers." -
More information about the Dnssec-deployment