[dnssec-deployment] dot MUSEUM implemented DNSSEC

Thierry Moreau thierry.moreau at connotech.com
Mon Sep 22 10:15:18 EDT 2008

Olaf Kolkman wrote:

> On Sep 22, 2008, at 12:15 PM, Mark Andrews wrote:
>>> DNSsec creates a tighter chain. We have to make sure that  redelegation
>>> is not the weakest link. -- Yes, it is the same process but DNSsec
>>> requires higher degree of safety when it comes to the redelegation  
>>> part.
>>     Please quote the relevent RFC.
> I hope that I understand Mats point. Allow me to rephrase it:
> If you do a delegation wrong you create some lameness, and the DNS can  
> cope with that. If you do the DS wrong then you immediately impact the  
> secure zones.
> With plain old DNS you need to shoot at least twice to shoot yourself  
> in the feet. With DNSSEC you only need one shot to do serious damage.

Yes, yes, and yes (resp. to Matts, Mark, and Olaf).

DNSSEC brings crypto controls in DNS zone management, both parent and 
child. Crypto merely makes control more tight, somehow inescapable. This 
brings accountability, by easier finger pointing to the poor system 
administrator who ended-up messing with the KSK for example.com, and/or 
the registrar vying with DNSSEC as a service differentiation activity 
under thin profit margins.

DNSSEC protocol standardization occurred with careful avoidance of such 
policy issues. Hence Mark challenge to bring documentary evidence. But 
the nature of the beast (DNSSEC=crypto control=accountability) can't 
remain untold forever.

I guess the only way forward is to put disclaimers such that nobody gets 
fired/bankrupted by the "single shot DNSSEC mishaps", and live with the 
implied reduction in overall trustworthiness.


- Thierry Moreau

More information about the Dnssec-deployment mailing list