[dnssec-deployment] dnssec automatic trust anchor configuration

Paul Wouters paul at xelerance.com
Wed Mar 7 20:56:53 EST 2007


On Wed, 7 Mar 2007, David Blacka wrote:

> >using DLV, we add more especially good targets apart from the Root key.
> >Suddenly,
> >I also have to trust the root servers, Affilias' procedures on the security
> >of .org,
> >ISC's security of their own domain and the DLV records they are serving.
>
> Er...
>
> >Unless we are hardcoding the keys for dlv.isc.org, in which case we've just
> >moved the problem of a signed root key, and we now need another solution to
> >pass
> >along the DLV uber key.
>
> If by "hardcoding" you mean: adding the trust anchor for dlv.isc.org to your
> resolver, then yes.  One of the reasons to use DLV is to get around the fact
> that the root isn't signed.  Having DLV depend on the root being signed would
> be ... counter-productive.

Indeed. And trusting the DNS to setup a DNS chain of trust is also
counter productive. That was my point. The fact that RIPE uses other
methods, such as PGP signing using a web of trust, that is indepedant on
(verifiably secure) DNS, is a good thing.

A "DLV-CA" based on finding "dlv.isc.org" in the DNS seems like a less
good thing, unless there is some out of bounds verification that we're
at the right spot, which is exactly the problem we are trying to solve
in the first place.

Paul



More information about the Dnssec-deployment mailing list