nanog mailing list archives
Re: America takes over DNS
From: bmanning () karoshi com
Date: Mon, 2 Apr 2007 18:18:45 +0000
On Mon, Apr 02, 2007 at 07:45:08AM -0700, David Conrad wrote:
Hi,Wouldn't the holder of these keys be the only ones able to spoof DNSSEC?Yes. This is an assumption of DNSSEC, regardless of who signs the root. The implication of this (and the fact that emergency key rollover requires everyone on the planet with a validating resolver to update the root trust key manually) is that protecting the root key signing key is a bit important. Rgds, -drc
one important attribute of key roll would seem to be the lack of a "flag-day". ... there are at least a couple of proposals that mitigate that particular risk. --bill
Current thread:
- RE: America takes over DNS, (continued)
- RE: America takes over DNS michael.dillon (Apr 02)
- Re: America takes over DNS Stephane Bortzmeyer (Apr 02)
- RE: America takes over DNS michael.dillon (Apr 02)
- Re: America takes over DNS Peter Dambier (Apr 02)
- Re: America takes over DNS Stephane Bortzmeyer (Apr 02)
- Re: America takes over DNS J. Oquendo (Apr 02)
- RE: America takes over DNS michael.dillon (Apr 02)
- Re: America takes over DNS Jerry Dixon (Apr 02)
- Re: America takes over DNS David Conrad (Apr 02)
- Re: America takes over DNS Randy Bush (Apr 02)
- Re: America takes over DNS bmanning (Apr 02)
- Re: On-going Internet Emergency and Domain Names Chris L. Morrow (Apr 01)
- Re: On-going Internet Emergency and Domain Names Gadi Evron (Apr 01)
- Re: On-going Internet Emergency and Domain Names Joe Abley (Apr 02)
- Re: On-going Internet Emergency and Domain Names Gadi Evron (Apr 02)
- Re: On-going Internet Emergency and Domain Names Andy Johnson (Apr 02)
- Re: On-going Internet Emergency and Domain Names Chris L. Morrow (Apr 02)
- Re: On-going Internet Emergency and Domain Names Andy Johnson (Apr 02)