To:
dnsop@cafax.se
From:
Markus Stumpf <maex-lists-dns-ietf-dnsop@Space.Net>
Date:
Tue, 15 Oct 2002 12:21:28 +0200
Content-Disposition:
inline
In-Reply-To:
<000901c2740f$b5324fe0$79112344@laptoy>; from john@chagres.net on Mon, Oct 14, 2002 at 11:57:00PM -0600
Sender:
owner-dnsop@cafax.se
User-Agent:
Mutt/1.2.5.1i
Subject:
Re: Interim signing of the root zone.
On Mon, Oct 14, 2002 at 11:57:00PM -0600, John M. Brown wrote: > signing the root, by whatever means is decided upon, helps > assure that the data is in fact "the original stuff". With CAs like VeriSign issuing wrong certificates for Microsoft. http://www.pkiforum.com/resources/verisigncerts.html Did this company get punished hard? Are their certificates less trusted in the community? Do you still believe ceritifcates issued by VeriSign? Do you believe data signed with a VeriSign cert is the "original stuff"? Why? There is evidence they issue wrong certs. One issue has become famous. How many are there we dont know about? > If the country of Futuro (make believe) decides to run its > own "root" via an anycast system, and they change the > NS RR set for .JP, how are users going to know that? And if the country of Futuro also installs a firewall to filter and spy IP connections does it make any difference to their residents? And is changing the NS RR set for .JP an evidence that they are doing something evil? Maybe they are running secondaries of the JP zone and changed it to optimize their DNS infrastructure? What Masataka Ohta IMHO tries to say is that it is at best nice to have a signed root zone, but you will not gain /any/ increase in security. And one reason is that if the security is compromised the network police will not read you your rights and drag you away. It will work fine, as long as it works. If it fails it fails. Nothing else. \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin" #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.