[dnssec-deployment] SecSpider as a new service for trust anchor learning
Lixia Zhang
lixia at CS.UCLA.EDU
Thu Mar 13 10:48:01 EDT 2008
On Mar 13, 2008, at 12:26 AM, Jakob Schlyter wrote:
> hi eric,
>
> interesting service!
>
> one question so far; why do you crawl (and now publish as DLV) all
> keys and not only keys marked as secure entry points?
>
> jakob
good question.
We discussed this option internally: as engineers, what does one gain
and lose by doing A (crawling+pub all keys) versus doing B (entry
points only)?
My thought is: unless something is a secret, otherwise exposing
everything under the Sun is a helpful thing for better security.
If all the keys are config'ed right and accessed right, then showing
them all should do no harm, right?
But people make errors (our earlier measurement on DNS config showed
that the error rate is not that low). One may argue how frequent or
infrequent it happens, not whether it happens.
There can also be other unknown reasons leading to discrepancy between
what a key should be, versus what a key one gets (either by our
crawler or a real resolver).
Under these situations, crawling all and showing them all seems
beneficial.
just my 2 cents,
Lixia
More information about the Dnssec-deployment
mailing list