[dnssec-deployment] dot MUSEUM implemented DNSSEC

Mark Andrews Mark_Andrews at isc.org
Mon Sep 22 06:15:17 EDT 2008


In message <list-17036986 at execdsl.com>, Mats.Dufberg at teliasonera.com writes:
> > From: DNSSEC deployment=20
> > [mailto:dnssec-deployment at shinkuro.com] On Behalf Of Andrew Sullivan
> > Sent: den 19 september 2008 18:14
> (...)
> > > The DNSsec model assums that the parent zone registry makes=20
> > > reasonable
> > > checks when the registry of the child zone enters new DS=20
> > > record for the
> > > child zone, i.e. checks to make sure that it is not an evil=20
> > > gang trying
> > > to steal the control of the child zone.
> >=20
> > Surely this is no different than the current care needed when updating
> > NS records at the parent side of the zone cut, is it?
> 
> DNSsec creates a tighter chain. We have to make sure that redelegation
> is not the weakest link. -- Yes, it is the same process but DNSsec
> requires higher degree of safety when it comes to the redelegation part.

	Please quote the relevent RFC.

	Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the Dnssec-deployment mailing list