[Dnssec-deployment] Root Zone DNSSEC Deployment Technical Status Update

Mon Jul 19 14:06:44 EDT 2010

On Mon, Jul 19, 2010 at 11:03:47AM +0100, Anand Kumria wrote:
> Hi Bill,
> 
> >        last I checked Trust was NOT transitive.  Trust in the DNS heirarchy
> >        does not equate to trust in the sysadmin of a node.  Your example
> >        above presumes that such will be the case.  What am I missing here?
> 
> 
> You are missing that for some sites, trust is transitive. And that,
> really, DNSSEC + CERT records (with a signed DNS root) is a good way
> to validate self-signed certificates.

	for -some- sites yes, but not most or even many.  I do agree
	about the DNSSEC+CERT trick though.  It was envisioned in an
	early distributed RIR propsoal that was described in 1998 at 
	INET.  There is a joint project between NAIST and USC going on
	now to develop those ideas further.  I'd be really happy to 
	talk with others who are interested in that concept.
	

> We are already looking at tighter integration between application and
> DNS (e.g. domainkey signed email), so why should this potential
> application bother you?


	because the DNS admin is not the person configuring email or 
	ssh or pick your app of choice. 

> >> And IPsec Opportunistic Encryption.
> >>
> >> People will come up with more new things. I personally hope to see
> >> identity verification via DNSSEC zones associated with email addresses
> >> or verification of OTR identities via DNSSEC protected records.

	IPsec works, if only because the reverse tree can be signed.
	Several people did work on this last century (me with TBDS,
	Russ Mundy/Sparta with some toolkit which I forget, Hugh and Freeswan,
	there were a pool of really interesting ideas)

> >
> >
> >        Scary stuff there Paul.
> 
> Indeed. Who wanted to protect their network, if they can.
> 
> Cheers,
> Anand