[dnssec-deployment] About "no validation" for DNS root signing strategy
Eric Osterweil
eoster at cs.ucla.edu
Thu Oct 8 14:40:56 EDT 2009
On Oct 8, 2009, at 10:32 AM, Jakob Schlyter wrote:
> On 8 okt 2009, at 18.14, Thierry Moreau wrote:
>
>> How do you train the world that "bogus" (intermittent bogus since
>> not all root nameservers will deploy at the same time) is fine
>> until some date, and then once deployed, "bogus" is bogus?
>
> the intention with the DURZ, the Deliberately Unvalidatable Root
> Zone, is that it should be obvious to everyone that it is not
> possible to validate the signatures. I do not know of any resolver
> that would try to validate signatures, even though you do not have a
> trust anchor configured, so to get any sort of validation failure
> you have to actually configure the bad key.
>
> we have considered using another algorithm identifier, but there are
> currently no experimental identifiers [1]. we did consider using a
> private algorithm, but decided that it could have other issues as
> well.
>
> jakob (part of the design team together with Matt, Joe and others
> at ICANN/VeriSign)
So, this is more than just a little bit scary. The protocol is
already reasonably complex, but the notion that it's OK for signatures
to not validate sometimes is a very slippery slope. If nothing else,
it's a new corner case that introduces a very dangerous avenue. What
is the justification for this (for those of us that couldn't make it
to Lisbon)?
Eric
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20091008/fea69ef9/attachment.bin
More information about the Dnssec-deployment
mailing list