[dnssec-deployment] dot MUSEUM implemented DNSSEC

Dan Mahoney, System Admin danm at prime.gushi.org
Fri Sep 19 11:25:11 EDT 2008


On Fri, 19 Sep 2008, Paul Wouters wrote:

> On Fri, 19 Sep 2008, Dan Mahoney, System Admin wrote:
>
>> This may be a very silly question, but has anyone assembled a page of "here 
>> are the TLD's we know of which have been signed, and you can verify each of 
>> them on the page *here* and their policy is listed *here*".
>
> http://www.xelerance.com/dnssec/
>
>> If not, I'll do it.  I'm against duplication of efforts, but I think a 
>> resource like this could be valuable.
>
> Though I think someone should put up a trusted keys page that's easier
> to configure in existing software. (eg bind/unbound include file, though
> I'd prefer one TLD per file, so people can easilly add/remove entries).

True, but in the absence of a signed root, that could lead to people 
blindly pasting the whole thing into their named.conf -- which while it 
might encourage more widespread adoption, opens us up to a trust attack -- 
i.e. if all the keys are there, why would joe-sysadmin think signing the 
root is important?

And if EvilPaulWouters(tm) wants to put up a bad key on his page, where 
people are blindly copying/pasting (because it's easier), how would people 
know?  An alert on the TLD page (which people aren't going to since they 
already have the keys?)

I'm not saying it's a BAD idea, just that anyone reading this should 
please tread with caution and put BigFrigginWarningFlags that say "DO NOT 
TRUST ME, VERIFY THIS STUFF!!!".

A better option might be to include a well-commented shell script that 
fetches the relevant zones right from the DNS via dig, and then instructs 
the user to verify them.  (Arguably, I'd use perl, but your target 
audience for being able to understand shell is greater, also for being 
able to run the commands manually and watch the output).

One could take such a thing further by publishing a TXT record that 
includes TLDs known to be signed.

The following might best be broken into another topic, but I'll mention it 
here:

While on the subject of TXT records and zones we don't have info for, this 
early point in the adoption might be a good idea to push out a suggested 
standard of location of human-readable information about the above for a 
given tld, i.e.

_dnssec.gushi.org. IN TXT "http://www.gushi.org/keypolicy.txt"

(sadly the TXT record at the root of the zone has already been chomped 
off by SPF, but some similar namespace as the above could be useful).

> I'll set one up before Tuesday.
>
> Paul
> (sorry for previous dup email - never mail before coffee)

Sorry for length and topic jumping - never mail after coffee.

-Dan

-- 

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------




More information about the Dnssec-deployment mailing list