[dnssec-deployment] dot MUSEUM implemented DNSSEC

Olaf Kolkman olaf at NLnetLabs.nl
Mon Sep 22 09:42:20 EDT 2008


On Sep 22, 2008, at 12:15 PM, Mark Andrews wrote:

>> DNSsec creates a tighter chain. We have to make sure that  
>> redelegation
>> is not the weakest link. -- Yes, it is the same process but DNSsec
>> requires higher degree of safety when it comes to the redelegation  
>> part.
>
> 	Please quote the relevent RFC.


I hope that I understand Mats point. Allow me to rephrase it:

If you do a delegation wrong you create some lameness, and the DNS can  
cope with that. If you do the DS wrong then you immediately impact the  
secure zones.

With plain old DNS you need to shoot at least twice to shoot yourself  
in the feet. With DNSSEC you only need one shot to do serious damage.


--Olaf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20080922/1585ca10/attachment.bin 


More information about the Dnssec-deployment mailing list