> >> First, DNSSEC does not provide confidentiality. Given that, it's not > >> clear to me why the NSA would try to stop or slow its deployment.
DNSSEC authenticates keys that can be used to bootstrap confidentiality. And it does so in a globally distributed, high performance, high reliability database that is still without peer in the world. It was never clear to me why DNSSEC took so long to deploy, though there was one major moment at an IETF in which a member of the IESG told me point blank that Jim Bidzos had made himself so hated that the IETF would never approve a standard that required the use of the RSA algorithm -- even despite a signed blanket license for use of RSA for DNSSEC, and despite the expiration of the patent. I thought it was an extreme position, and it was very forcefully expressed -- but it was apparently widely enough shared that the muckety-mucks did force the standard to go back to the committee and have a second algorithm added to it (which multiplied the interoperability issues considerably and caused several years of further delay). John PS: My long-standing domain registrar (enom.com) STILL doesn't support DNSSEC records -- which is why toad.com doesn't have DNSSEC protection. Can anybody recommend a good, cheap, reliable domain registrar who DOES update their software to support standards from ten years ago? _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography