[dnssec-deployment] What does DNSSEC enable?

[Olaf M. Kolkman]

> What *WE* know is that very few people, if any, is verifying whether 
> the browser they have installed actually has not changed since the 
> master was loaded with certs. I also know that at least around 1998, no 
> browser was checking whether a cert in the CA cert chain was changed 
> with a simple editor. I.e. the cert still was claimed to be from for 
> example Verisign, but the content of the cert had changed to be some 
> bogus thing. An operation a trojan could do very easily.

Ouchh... does that still work?

> Only path forward for browsers is, I think, that the people that 
> implement DNSSEC (i.e. "we") also hack the open source projects like 
> Mozilla so the right (another?) icon is display beside the padlock. I 
> think it would be very hard to get the browser hackers to do it. They 
> have enough problems getting CSS, Java and what not to work.


Bill mentioned in the Jabber room that there is some submerged
effort. More information on that would be good to have.

> 
> A very cool application is, I think, the mix between DNS Dynamic 
> Updates (secured via SIG(0)), DNSSEC and IPSEC tunnels between devices 
> that move around (or get IP addresses in large networks from ISP's via 
> DHCP).
> 

I recall Ted Lemon being very enthusiastic about the ability to fetch
a public key from the forward zone and than do all kinds of things
with DHCP and reverse DNS. I do not recall the exact architecture he
was getting at. (This was during a workshop we organized a long time
ago: http://ops.ietf.org/dns/dynupd/secure-ddns-howto.html).

Anybody on this list who runs into Ted on a regular basis? If not I'll mail him.

--Olaf