James A. Donald wrote:
From time to time I hear that DNSSEC is working fine, and on examining
the matter I find it is "working fine" except that ....
Seems to me that if DNSSEC is actually working fine, I should be able to
provide an authoritative public key for any domain name I control, and
should be able to obtain such keys for other domain names, and use such
keys for any purpose, not just those purposes envisaged in the DNSSEC
specification. Can I? It is not apparent to me that I can.
There are two major issues with DNSSEC right now. Neither of them is
that it isn't working.
Firstly, the root is not signed. This means there's no easy way for the
relying party to establish the correctness of the key on your domain.
Secondly, although we have DNS servers and resolvers, software that uses
DNS is largely unaware of DNSSEC and so has absolutely no idea what to
do when one of the many possible cryptographic/proof failures occurs.
Very little thought has gone into what should be done, even in software
that is aware.
That said, if you want to distribute keys with DNSSEC, then RFC 4398
standardises ways to do a number of them, and can be extended to cover
more. RFC 4255 gives you SSH host keys, too.
If you want to do something ad hoc, then there are always TXT records,
though I guarantee this will make the DNS people hate you forever.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
