Re: Interim signing of the root zone.

[Markus Stumpf <maex-lists-dns-ietf-dnsop@Space.Net>]

On Mon, Oct 14, 2002 at 11:57:00PM -0600, John M. Brown wrote:
> signing the root, by whatever means is decided upon, helps
> assure that the data is in fact "the original stuff".

With CAs like VeriSign issuing wrong certificates for Microsoft.
    http://www.pkiforum.com/resources/verisigncerts.html
Did this company get punished hard? Are their certificates less trusted
in the community? Do you still believe ceritifcates issued by VeriSign?
Do you believe data signed with a VeriSign cert is the "original stuff"?
Why? There is evidence they issue wrong certs. One issue has become
famous. How many are there we dont know about?

> If the country of Futuro (make believe) decides to run its
> own "root" via an anycast system, and they change the
> NS RR set for .JP, how are users going to know that?

And if the country of Futuro also installs a firewall to filter and spy
IP connections does it make any difference to their residents?
And is changing the NS RR set for .JP an evidence that they are
doing something evil? Maybe they are running secondaries of the JP zone
and changed it to optimize their DNS infrastructure?

What Masataka Ohta IMHO tries to say is that it is at best nice to
have a signed root zone, but you will not gain /any/ increase in security.
And one reason is that if the security is compromised the network
police will not read you your rights and drag you away. It will work
fine, as long as it works. If it fails it fails. Nothing else.

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.