Re: hat tip to .gov hostmasters

[bmanning () vacation karoshi com]

On Mon, Sep 22, 2008 at 10:52:42AM -0400, Jason Frisvold wrote:
> On Mon, Sep 22, 2008 at 10:34 AM, Scott Francis <darkuncle () gmail com> wrote:
> > nice to see a wholesale DNSSEC rollout underway (I must confess to being a
> > little surprised at the source, too!). Granted, it's a much more manageable
> > problem set than, say, .com - but if one US-controlled TLD can do it, hope
> > is buoyed for a .com rollout sooner rather than later (although probably not
> > much sooner :)).
>
> I'm not much up on DNSSEC, but don't you need to be using a resolver
> that recognizes DNSSEC in order for this to be useful?
>
> > /sf
>
>
> -- 
> Jason 'XenoPhage' Frisvold
> XenoPhage0 () gmail com
> http://blog.godshell.com


        yes and no.  to fully trust the data from the servers you need
        three things:

        ) signed data (this is what .gov is doing)
        ) a validator in the end system (this is mostly missing/not configured today)
        ) accurate trust anchors from a couple of places in the DNS namespace ##

        however,
        
        if all you start with is signed data - it becomes possible to verify the
        source of the data - independently of inline DNS validation.  e.g. you 
        can - with a high degree of certainty, be assured that the root zone you 
        load is really the ORSN root and not that flaky root from DoC/ICANN/VSGN... :)

        so "naked" signed data, in the absence of TA's or validators is still
        useful.


## you'll need a couple of these - and how you get them and keep them up to date is
   still a mostly unsolved operational problem.

--bill