[dnssec-deployment] DNSSEC in Russia
lutz at iks-jena.de
Thu Apr 2 19:45:15 EDT 2009
* Edward Lewis wrote:
> This is why I am trying to go out of my way to make sure the
> technology can be bent to accommodate a requirement laid upon us, no
> matter what the source, so long as compliance is desirable. Do we
> want Russia to be able to use DNSSEC? I think so.
First of all: Russia *is using* DNSSEC right now.
The current state of DNSSEC does not allow multiple, seperate trust chains
within the same hierarchy. We can try to invent a new protocol. Or we simply
accept the fact.
I prefer the deployment of the existing protocol. And this protocol does not
allow to enter more than one KSK into the root zone without disrupting the
service. Furthermore this protocol does not allow to include weak algorithms
without weakinging the whole chain.
> I don't question requirements. I'm willing to show how they are best
> met, and let the owner of the requirement decide whether to continue.
If the technical solution does not match the requirements, there are two
possiblities: Drop the solution or drop the requirements.
> I should add, I never assumed IANA would be signing with GOST (nor
> even at all), perhaps the signatures for the root zone are applied by
> different entities holding the respective private keys.
So you propose to split the root into a russian and an IANA one?
More information about the Dnssec-deployment