[95699] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: America takes over DNS

daemon@ATHENA.MIT.EDU (David Conrad)
Mon Apr 2 10:50:13 2007

In-Reply-To: <D03E4899F2FB3D4C8464E8C76B3B68B0221C13@E03MVC4-UKBR.domain1.systemhost.net>
Cc: <nanog@merit.edu>
From: David Conrad <drc@virtualized.org>
Date: Mon, 2 Apr 2007 07:45:08 -0700
To: "<michael.dillon@bt.com>" <michael.dillon@bt.com>
Errors-To: owner-nanog@merit.edu

Hi,

> Wouldn't the holder of these keys be the only ones able to spoof  
> DNSSEC?

Yes.  This is an assumption of DNSSEC, regardless of who signs the  
root.  The implication of this (and the fact that emergency key  
rollover requires everyone on the planet with a validating resolver  
to update the root trust key manually) is that protecting the root  
key signing key is a bit important.

Rgds,
-drc


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[95699] in North American Network Operators' Group

Re: America takes over DNS

daemon@ATHENA.MIT.EDU (David Conrad)Mon Apr 2 10:50:13 2007

daemon@ATHENA.MIT.EDU (David Conrad)
Mon Apr 2 10:50:13 2007