[dnssec-deployment] dot MUSEUM implemented DNSSEC
Dan Mahoney, System Admin
danm at prime.gushi.org
Fri Sep 19 11:25:11 EDT 2008
On Fri, 19 Sep 2008, Paul Wouters wrote:
> On Fri, 19 Sep 2008, Dan Mahoney, System Admin wrote:
>> This may be a very silly question, but has anyone assembled a page of "here
>> are the TLD's we know of which have been signed, and you can verify each of
>> them on the page *here* and their policy is listed *here*".
>> If not, I'll do it. I'm against duplication of efforts, but I think a
>> resource like this could be valuable.
> Though I think someone should put up a trusted keys page that's easier
> to configure in existing software. (eg bind/unbound include file, though
> I'd prefer one TLD per file, so people can easilly add/remove entries).
True, but in the absence of a signed root, that could lead to people
blindly pasting the whole thing into their named.conf -- which while it
might encourage more widespread adoption, opens us up to a trust attack --
i.e. if all the keys are there, why would joe-sysadmin think signing the
root is important?
And if EvilPaulWouters(tm) wants to put up a bad key on his page, where
people are blindly copying/pasting (because it's easier), how would people
know? An alert on the TLD page (which people aren't going to since they
already have the keys?)
I'm not saying it's a BAD idea, just that anyone reading this should
please tread with caution and put BigFrigginWarningFlags that say "DO NOT
TRUST ME, VERIFY THIS STUFF!!!".
A better option might be to include a well-commented shell script that
fetches the relevant zones right from the DNS via dig, and then instructs
the user to verify them. (Arguably, I'd use perl, but your target
audience for being able to understand shell is greater, also for being
able to run the commands manually and watch the output).
One could take such a thing further by publishing a TXT record that
includes TLDs known to be signed.
The following might best be broken into another topic, but I'll mention it
While on the subject of TXT records and zones we don't have info for, this
early point in the adoption might be a good idea to push out a suggested
standard of location of human-readable information about the above for a
given tld, i.e.
_dnssec.gushi.org. IN TXT "http://www.gushi.org/keypolicy.txt"
(sadly the TXT record at the root of the zone has already been chomped
off by SPF, but some similar namespace as the above could be useful).
> I'll set one up before Tuesday.
> (sorry for previous dup email - never mail before coffee)
Sorry for length and topic jumping - never mail after coffee.
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
More information about the Dnssec-deployment