> >> First, DNSSEC does not provide confidentiality.  Given that, it's not
> >> clear to me why the NSA would try to stop or slow its deployment.

DNSSEC authenticates keys that can be used to bootstrap
confidentiality.  And it does so in a globally distributed, high
performance, high reliability database that is still without peer in
the world.

It was never clear to me why DNSSEC took so long to deploy, though
there was one major moment at an IETF in which a member of the IESG
told me point blank that Jim Bidzos had made himself so hated that the
IETF would never approve a standard that required the use of the RSA
algorithm -- even despite a signed blanket license for use of RSA for
DNSSEC, and despite the expiration of the patent.  I thought it was an
extreme position, and it was very forcefully expressed -- but it was
apparently widely enough shared that the muckety-mucks did force the
standard to go back to the committee and have a second algorithm added
to it (which multiplied the interoperability issues considerably and
caused several years of further delay).


PS: My long-standing domain registrar (enom.com) STILL doesn't support
DNSSEC records -- which is why toad.com doesn't have DNSSEC
protection.  Can anybody recommend a good, cheap, reliable domain
registrar who DOES update their software to support standards from ten
years ago?
The cryptography mailing list

Reply via email to