[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update

Peter Koch pk at ISOC.DE
Mon Jul 19 08:29:35 EDT 2010

On Mon, Jul 19, 2010 at 11:03:47AM +0100, Anand Kumria wrote:

> >        last I checked Trust was NOT transitive.  Trust in the DNS heirarchy
> >        does not equate to trust in the sysadmin of a node.  Your example
> >        above presumes that such will be the case.  What am I missing here?
> You are missing that for some sites, trust is transitive. And that,
> really, DNSSEC + CERT records (with a signed DNS root) is a good way
> to validate self-signed certificates.

the issue is the semantics of a DNSSEC signature.  Since DNSSEC is about
data origin authentication, the signature is merely an attestation of
the signer that some RRSet originated from within the zone.  No statement
is made about the correctness of the data. Therefore, the binding of
some key material to a domain (in the sense of 'node in the DNS hierarchy')
is explicitly not achieved.  The zone maintainer says they put the
RRSet into the zone, not that they verified any of its properties,
which holds for an A RRSet the same way as for a CERT RR(Set).

Now, this may be all 'better than nothing' or 'good enough' or 'opportunistic'
(in some positive spirit) or even 'not worse than what today's certificate
practices', but the difference remains.  Think liability.


More information about the Dnssec-deployment mailing list