<<<
Chronological Index
>>> <<<
Thread Index
>>>
Re: [ga] IPETEE - forget DNSSEC
- To: "JFC Morfin" <jefsey@xxxxxxxxxxxxxxxx>
- Subject: Re: [ga] IPETEE - forget DNSSEC
- From: "Joe Baptista" <baptista@xxxxxxxxxxxxxx>
- Date: Sun, 13 Jul 2008 22:56:41 -0400
On Sat, Jul 12, 2008 at 1:57 PM, JFC Morfin <jefsey@xxxxxxxxxxxxxxxx> wrote:
>
> At 11:48 12/07/2008, Peter Dambier wrote:
>
>> DNSSEC is the means to stop alternative roots. That is
>> probably the reason why everybody is made to want it.
>>
>
> could you please explain why?
Its to do with the start of authority key that signs all the other keys. If
that is signed then all the remainder are signed based on the root DNSSEC
key.
One of the things I remember is how insecure it is from the point of view of
the discover process. Because each record is in some encrypted way related
to the former in a sequential order - i..e. alphabetical order. So TLD
zones and domains who now protect their network infrastructure by not
allowing AXFR can now have that zones list of names discoverable if they
implement DNSSEC.
Maybe they fixed that. Just visit the IETF and look through the DNSSEC
RFC. It a lot like IPv6 - a technical nightmare waiting to happen with many
bugs and revisions.
It does not actually fix the problem with name server security - it just
patches it with an encrypted. The problem in name server security was fixed
back in 2002 by Dan Bernstein. We have all known about it and we all also
know that Bernstein is the author to the solution of running a stable safe
DNS. However what happened is the fools at the IETF and the senior DNS
operators gave him a hard time on it and we have seen patches to DNS server
software from all the vendors that have completed ignored the problem from
day one.
Bernstein solved the problem and is now credited for it.
regards
joe baptista
--
Joe Baptista
www.publicroot.org
PublicRoot Consortium
----------------------------------------------------------------
The future of the Internet is Open, Transparent, Inclusive, Representative &
Accountable to the Internet community @large.
----------------------------------------------------------------
Office: +1 (360) 526-6077 (extension 052)
Fax: +1 (509) 479-0084
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|