[107989] in North American Network Operators' Group
Re: hat tip to .gov hostmasters
daemon@ATHENA.MIT.EDU (Colin Alston)
Mon Sep 22 11:04:23 2008
Date: Mon, 22 Sep 2008 17:02:47 +0200
From: Colin Alston <karnaugh@karnaugh.za.net>
To: Florian Weimer <fweimer@bfk.de>
In-Reply-To: <82ljxkkz57.fsf@mid.bfk.de>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Florian Weimer wrote:
> * Jason Frisvold:
>
>> On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <darkuncle@gmail.com> wrote:
>>> nice to see a wholesale DNSSEC rollout underway (I must confess to being a
>>> little surprised at the source, too!). Granted, it's a much more manageable
>>> problem set than, say, .com - but if one US-controlled TLD can do it, hope
>>> is buoyed for a .com rollout sooner rather than later (although probably not
>>> much sooner :)).
>> I'm not much up on DNSSEC, but don't you need to be using a resolver
>> that recognizes DNSSEC in order for this to be useful?
>
> Correct, you need a validating, security-aware stub resolver, or the
> ISP needs to validate the records for you.
>
In public space like .com, don't you need some kind of central
trustworthy CA?
