[dnssec-deployment] DNSSEC in Russia
Ed.Lewis at neustar.biz
Thu Apr 2 17:12:14 EDT 2009
At 16:19 -0400 4/2/09, Andrew Sullivan wrote:
>that could be true -- is it true, for instance, that nobody in Russia
>is allowed to visit RSA-based SSL websites?
My understanding is that that question is not relevant. I.e., the
legal restrictions on the use of RSA are such that...this is not
My point is, in this thread, is that DNSSEC is capable of having a
zone signed by multiple algorithms. If it proves out that there is a
requirement to use multiple algorithms, it can be done. We can
Will multiple algorithms have an operational impact? I bet they do,
in the increase of message size. How costly is that? We might have
Let's say the cost is significant. Or maybe that the cost is
insignificant. Either way, what is the cost versus benefit. There
are many outcomes from this, not all of them are technical - in fact
in none of them do I see a change to the protocol nor a substantive
change to the operations.
Maybe the second algorithm causes enough pain that DNSSEC is too
much, so parts of the network operators roll back to just one.
Perhaps this will cause economic considerations that will cause a
change in political-based requirements. Or split the root zone - and
who wants that? I'm no expert on economics and politics and I don't
want to be.
I'm just confident that the technology is flexible to accommodate the
scenarios. It's not up to me, an engineer, to set political agendas
nor make economic judgements. Its up to me to meet the requirements,
and at most advise the most expedient way to use the technology to
still meet the requirements.
Is anyone on this list willing to say "hey those who can't use RSA,
sorry, you can't have a secured DNS on the global public internet.
Sorry, we have to fragment the root first for you to get back
on-line." That's what I think is the alternative.
NeuStar You can leave a voice message at +1-571-434-5468
Getting everything you want is easy if you don't want much.
More information about the Dnssec-deployment