[107164] in North American Network Operators' Group
Re: US government mandates? use of DNSSEC by federal agencies
daemon@ATHENA.MIT.EDU (Jeroen Massar)
Wed Aug 27 13:26:18 2008
Date: Wed, 27 Aug 2008 19:25:03 +0200
From: Jeroen Massar <jeroen@unfix.org>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
In-Reply-To: <20080827131342.371009ae@cs.columbia.edu>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigE4EF5ED0E9427B72563DFFC9
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Steven M. Bellovin wrote:
> On Wed, 27 Aug 2008 09:53:26 -0700
> "Kevin Oberman" <oberman@es.net> wrote:
>=20
>>> So the question I have is... will operators (ISP, etc) turn on
>>> DNSsec checking? Or a more basic question of whether you even
>>> _could_ turn on checking if you were so inclined?
>> As far as I can see, at least with bind-9.5, operators would have to
>> turn it off. It looks to me like dnssec-validation defaults to on. It
>> also appears that bind-9.4 defaults to 'off'.=20
>=20
> Right. The real questions are the clients and the trust anchor -- what=
> root key do you support?
A distributed one. I personally don't really see an issue with
downloading a public key for every TLD out there. These keys could come
in a pack even by an OS distribution, nicely PGP signed et all...
Nobody in his right mind manages this per box anymore anyway, and
packages for distributions and auto-updates are well-present anyway.
The presence of a key file can also mean to the resolver that one
can/has_to check dnssec results.
Greets,
Jeroen
--------------enigE4EF5ED0E9427B72563DFFC9
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFItY3vKaooUjM+fCMRAj1WAJ4yZuZC7PCFKlJUaSC1u5uhmYQ5jgCdEg2k
zjlaFrFEHntZ8EJygr+BnHE=
=b7Hb
-----END PGP SIGNATURE-----
--------------enigE4EF5ED0E9427B72563DFFC9--
