[dnssec-deployment] DNSSEC in Russia
paul.hoffman at vpnc.org
Thu Apr 2 16:18:08 EDT 2009
At 3:24 PM -0400 4/2/09, Edward Lewis wrote:
>Attempting to focus this back on ... (as the subject says) ... DNSSEC in Russia, (subsequently) leading to the use of two different algorthims signing the root zone and the impact on size ...
>We are only talking about "double-signing" the root zone.
...with a signature algorithm that has had little cryptographic analysis done that could be verified by other cryptographers (and for which there is already some damaging analysis that can be found trivially with Google). Why should the root sign with such an algorithm?
If a zone wants to sign with an algorithm other than what everyone else is using, that's fine. Users of that algorithm that cannot use any other algorithm can load the highest-level zones signed with it in their trust anchor pile.
Adding additional algorithms, particularly ones that have not been studied much, to resolvers gives attackers new ways to break the security of DNSSEC. That doesn't seem like a good idea.
--Paul Hoffman, Director
More information about the Dnssec-deployment