[dnssec-deployment] About "no validation" for DNS root signing strategy
Olafur Gudmundsson
ogud at ogud.com
Tue Oct 13 11:40:00 EDT 2009
At 14:46 09/10/2009, Jakob Schlyter wrote:
>On 9 okt 2009, at 17.37, Howard Eland wrote:
>
>>These early adopters will necessarily read the first announcement,
>>or else they wouldn't know to turn validation on in the first
>>place. Make _that_ announcement as clear as possible as to what is
>>going on. I doubt there will be a massive validation light-up in
>>the first 6 months - specially if this occurs before .COM is signed,
>>so the impact is currently as low as it can be. It is a foregone
>>conclusion that the root needs to be signed, and this approach
>>provides the opportunity to measure the impact of DNSSEC on the root
>>operators.
>
>not to mention they have to configure a key that looks something like
>this:
>
>. IN DNSKEY 256 3 5 ( AwEAAa++++++++++++++++++++++++++++++
> ++THIS/KEY/AN/INVALID/KEY/AND/SHOULD
> /NOT/BE/USED/CONTACT/ROOTSIGN/AT/ICA
> NN/DOT/ORG/FOR/MORE/INFORMATION+++++
> ++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++/=) ; Key ID = 6477
>
>(btw yes, that is a valid key)
Based on my interpretation this is not a valid key as it has a
covert channel in the last byte :-)
You can fix that by changing the last character from / to A.
>I believe someone who deliberately configures such a key might have
>other problems, but what do I know...
The case you are ignoring is:
Well what if someone calculates a DS record over the key and then
distributes that DS as a trust anchor ?
. IN DS 6477 5
2 3BF069F2AA69561AC63028135E526CBE27675E931C87E7F1DAB53A4914CDDDAE
. IN DS 6477 5
1 464F72094BD43ECB11681D3662F408835687B839
Olafur
More information about the Dnssec-deployment
mailing list