<chair-hat>
This discussion is off topic.
DANE is about how to leverage DNSSEC by applications and conspiracy theories
are not within our charter.
Anyone that does not trust DNSSEC operations is free to ignore distribution of
OPENPGP keys via DNS, and continue to
use the web of trust.
</char-hat>
Olafur
On Jul 28, 2014, at 10:59 AM, Rene Bartsch <[email protected]> wrote:
> Maybe I misunderstood draft-zhang-ct-dnssec-trans-00 but I do not see how it
> would help. Consider the following case:
>
> (Forced by secret US law) The IANA secretly hands over the current private
> key of the DNSSEC trust anchor to a US government agency which uses the
> private key to sign forged zones and feeds them to DNS resolvers. That way US
> government agencies would be able to manipulate any DNS record including
> OpenPGP while users would be lulled in a false sense of security.
>
> In case I didn't miss any super-security feature users should be aware of
> that fact.
>
> Am 2014-07-28 15:52, schrieb Paul Wouters:
>>> 3. Security considerations: The IANA has control over the DNSSEC root keys.
>>> As the IANA is bound to US law, US government agencies probably have access
>>> to the DNSSEC root keys and are capable to manipulate the OpenPGP keys
>>> signed with DNSSEC.
>> There is currently a first attempt at specifying transparancy for
>> DNSSEC for those who want to audit/track the DNSSEC root or parent
>> domain holders:
>> http://tools.ietf.org/html/draft-zhang-ct-dnssec-trans-00
>> Paul
>
> --
> Best regards,
>
> Renne
>
> _______________________________________________
> dane mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dane
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
