Re: DNSSEC & the .EDU domain

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Sun, 17 Aug 2008 21:23:14 MDT, Stephen John Smoogen said:

> Well who is going to pay for the staff and systems to do the signing?
> How much is required for the number of zones in the .edu domain space?

A bit of clarification here.  All the people running the .edu zone have to sign
is *the .edu zone*.  One zone. That's it (unless they have a *separate* service
for hosting DNS for a school). So if somebody makes a request to the .edu
nameservers, they will (for instance) get a reply back that says 'vt.edu SOA, 5
NS entries, and DNSSEC signing of those 6 RRs'.   They don't have to sign any
of the bazillion entries in the vt.edu zone, that's *our* problem.  And if
a few schools don't get onboard, it's only their domain that's not signed.
There is no requirement that *all* the sub-zones also be signed.

A bit of cleverness will show that it's possible (and in fact required) to
do incremental updating of the signatures for the SOA/NS glue entries on
a per-subdomain basis.  If it were required to "sign the entire zone", the
time required to compute a signature across a .com zone that contains glue
for the 140M+ .com domains would be prohibitively long (overlooking the
fact that a signature across the entire zone would be cryptographically
useless for anything other than a zone-transfer of the .com zone)...

Attachment: _bin
Description: