[dnssec-deployment] dot MUSEUM implemented DNSSEC
thierry.moreau at connotech.com
Mon Sep 22 10:15:18 EDT 2008
Olaf Kolkman wrote:
> On Sep 22, 2008, at 12:15 PM, Mark Andrews wrote:
>>> DNSsec creates a tighter chain. We have to make sure that redelegation
>>> is not the weakest link. -- Yes, it is the same process but DNSsec
>>> requires higher degree of safety when it comes to the redelegation
>> Please quote the relevent RFC.
> I hope that I understand Mats point. Allow me to rephrase it:
> If you do a delegation wrong you create some lameness, and the DNS can
> cope with that. If you do the DS wrong then you immediately impact the
> secure zones.
> With plain old DNS you need to shoot at least twice to shoot yourself
> in the feet. With DNSSEC you only need one shot to do serious damage.
Yes, yes, and yes (resp. to Matts, Mark, and Olaf).
DNSSEC brings crypto controls in DNS zone management, both parent and
child. Crypto merely makes control more tight, somehow inescapable. This
brings accountability, by easier finger pointing to the poor system
administrator who ended-up messing with the KSK for example.com, and/or
the registrar vying with DNSSEC as a service differentiation activity
under thin profit margins.
DNSSEC protocol standardization occurred with careful avoidance of such
policy issues. Hence Mark challenge to bring documentary evidence. But
the nature of the beast (DNSSEC=crypto control=accountability) can't
remain untold forever.
I guess the only way forward is to put disclaimers such that nobody gets
fired/bankrupted by the "single shot DNSSEC mishaps", and live with the
implied reduction in overall trustworthiness.
- Thierry Moreau
More information about the Dnssec-deployment