Educause Security Discussion mailing list archives
Re: DNSSEC & the .EDU domain
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 18 Aug 2008 16:33:47 -0400
On Sun, 17 Aug 2008 21:23:14 MDT, Stephen John Smoogen said:
Well who is going to pay for the staff and systems to do the signing? How much is required for the number of zones in the .edu domain space?
A bit of clarification here. All the people running the .edu zone have to sign is *the .edu zone*. One zone. That's it (unless they have a *separate* service for hosting DNS for a school). So if somebody makes a request to the .edu nameservers, they will (for instance) get a reply back that says 'vt.edu SOA, 5 NS entries, and DNSSEC signing of those 6 RRs'. They don't have to sign any of the bazillion entries in the vt.edu zone, that's *our* problem. And if a few schools don't get onboard, it's only their domain that's not signed. There is no requirement that *all* the sub-zones also be signed. A bit of cleverness will show that it's possible (and in fact required) to do incremental updating of the signatures for the SOA/NS glue entries on a per-subdomain basis. If it were required to "sign the entire zone", the time required to compute a signature across a .com zone that contains glue for the 140M+ .com domains would be prohibitively long (overlooking the fact that a signature across the entire zone would be cryptographically useless for anything other than a zone-transfer of the .com zone)...
Attachment:
_bin
Description:
Current thread:
- DNSSEC & the .EDU domain John Center (Aug 14)
- <Possible follow-ups>
- Re: DNSSEC & the .EDU domain Lawrence, Gabriel (Aug 14)
- Re: DNSSEC & the .EDU domain Memisyazici, Aras (Aug 14)
- Re: DNSSEC & the .EDU domain Brad Miller (Aug 15)
- Re: DNSSEC & the .EDU domain Rodney Petersen (Aug 17)
- Re: DNSSEC & the .EDU domain David L. Wasley (Aug 17)
- Re: DNSSEC & the .EDU domain Stephen John Smoogen (Aug 17)
- Re: DNSSEC & the .EDU domain Memisyazici, Aras (Aug 17)
- Re: DNSSEC & the .EDU domain Stephen John Smoogen (Aug 18)
- Re: DNSSEC & the .EDU domain Valdis Kletnieks (Aug 18)
- Re: DNSSEC & the .EDU domain Curt Wilson (Aug 18)
- Re: DNSSEC & the .EDU domain Shumon Huque (Aug 18)