[dnssec-deployment] DNSSEC in Russia

Edward Lewis Ed.Lewis at neustar.biz
Thu Apr 2 17:12:14 EDT 2009 

At 16:19 -0400 4/2/09, Andrew Sullivan wrote:

>that could be true -- is it true, for instance, that nobody in Russia
>is allowed to visit RSA-based SSL websites?

My understanding is that that question is not relevant.  I.e., the 
legal restrictions on the use of RSA are such that...this is not 
relevant.

My point is, in this thread, is that DNSSEC is capable of having a 
zone signed by multiple algorithms.  If it proves out that there is a 
requirement to use multiple algorithms, it can be done.  We can 
accommodate.

Will multiple algorithms have an operational impact?  I bet they do, 
in the increase of message size.  How costly is that?  We might have 
to see.

Let's say the cost is significant.  Or maybe that the cost is 
insignificant.  Either way, what is the cost versus benefit.  There 
are many outcomes from this, not all of them are technical - in fact 
in none of them do I see a change to the protocol nor a substantive 
change to the operations.

Maybe the second algorithm causes enough pain that DNSSEC is too 
much, so parts of the network operators roll back to just one. 
Perhaps this will cause economic considerations that will cause a 
change in political-based requirements.  Or split the root zone - and 
who wants that?  I'm no expert on economics and politics and I don't 
want to be.

I'm just confident that the technology is flexible to accommodate the 
scenarios.  It's not up to me, an engineer, to set political agendas 
nor make economic judgements.  Its up to me to meet the requirements, 
and at most advise the most expedient way to use the technology to 
still meet the requirements.

Is anyone on this list willing to say "hey those who can't use RSA, 
sorry, you can't have a secured DNS on the global public internet. 
Sorry, we have to fragment the root first for you to get back 
on-line."  That's what I think is the alternative.

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis
NeuStar                    You can leave a voice message at +1-571-434-5468

Getting everything you want is easy if you don't want much.

More information about the Dnssec-deployment mailing list