[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update
akumria at acm.org
Mon Jul 19 06:03:47 EDT 2010
On Mon, Jul 19, 2010 at 5:43 AM, <bmanning at vacation.karoshi.com> wrote:
> On Sun, Jul 18, 2010 at 06:18:56PM -0400, Paul Wouters wrote:
>> On Sun, 18 Jul 2010, Tony Finch wrote:
>> >>indeed. and let's give credit where due -- because there are still no
>> >>external applications that add value in the face of this metadata, the
>> >>biggest reason we finally have a signed root and growing cadre of signed
>> >>tld's and sld's is because of... dan kaminsky's bug.
>> >Yes, but "no apps that add value" is an exaggeration - ssh is one
>> And the current thinking/revival of moving SSL certs out of the (broken)
>> CA infrastructure and into the DNSSEC infrastructure. Another example
>> could be the browers querying for the existence of an "SSL" cert in DNS, and
>> automatically starting out using https instead of http. (I wonder if that
>> could be done with a new edns option or additional data to reduce this to
>> one query)
> thats a horiffic idea. application level certs in the DNS
> is right up there with HINFO ... with one minor (critical) error
> that was not present for HINFO. There is zero plausable denyability
> for a node running an app.
You mean, like having a SRV record indicating where a protocol is best used?
Or an MX record indicating the best mail servers for a domain?
Could you elaborate some more.
> last I checked Trust was NOT transitive. Trust in the DNS heirarchy
> does not equate to trust in the sysadmin of a node. Your example
> above presumes that such will be the case. What am I missing here?
You are missing that for some sites, trust is transitive. And that,
really, DNSSEC + CERT records (with a signed DNS root) is a good way
to validate self-signed certificates.
We are already looking at tighter integration between application and
DNS (e.g. domainkey signed email), so why should this potential
application bother you?
>> And IPsec Opportunistic Encryption.
>> People will come up with more new things. I personally hope to see
>> identity verification via DNSSEC zones associated with email addresses
>> or verification of OTR identities via DNSSEC protected records.
> Scary stuff there Paul.
Indeed. Who wanted to protect their network, if they can.
More information about the Dnssec-deployment