[118748] in cryptography@c2.net mail archive
Re: How is DNSSEC
daemon@ATHENA.MIT.EDU (Ben Laurie)
Thu Mar 27 14:14:22 2008
Date: Wed, 26 Mar 2008 18:01:50 +0000
From: Ben Laurie <ben@links.org>
To: Dave Howe <DaveHowe@gmx.co.uk>
CC: Email List - Cryptography <cryptography@metzdowd.com>
In-Reply-To: <47E4C623.2010206@gmx.co.uk>
Dave Howe wrote:
> James A. Donald wrote:
>> From time to time I hear that DNSSEC is working fine, and on
>> examining the matter I find it is "working fine" except that ....
>
> DNSSEC is "working fine" as a technology. However, it is worth
> remembering that it works based on digitally signing an entire zone -
> the state of the world being what it is, most people prohibit xfer so
> any other technology that would allow a zonewalk is not going to be
> deployed.
>
> as far as I can tell, this is a basic design flaw, so isn't going to be
> rectified anytime soon.
RFC 5155 rectifies this design flaw.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
