DNSSEC - does it exist?
Jeroen Massar
jeroen at unfix.org
Mon Oct 23 10:49:44 UTC 2006
Chris Drake wrote:
> Hi,
>
> DNSSEC has been mentioned a few times. It seems to be a way for
> authoritative servers to digitally sign DNS replies - with the intent
> that client resolvers check signatures - including (as far as I can
> tell) the whole chain up to the "root" zone.
>
> What I can't find is any obvious mention of who the root is, nor how
> I'd get my keys "signed" by them, nor how a client resolver (eg: a
> potential victims Windows XP box) might install a root key - which
> leads me to believe there's no DNSSEC root authorities yet, and thus
> this protocol doesn't exist.
Currently the root is not signed yet, but various folks are working on
getting this in place. In the mean time you can use a look-a-side
mechanism, eg using http://www.iks-jena.de/leistungen/dnssec.php
For more information see:
http://www.dnssec-deployment.org/
especially http://www.dnssec-deployment.org/howdoi/DNSSECGuides.htm
and for instance:
http://www.circleid.com/posts/dnssec_deployment_at_root/
rest google(dnssec deployment)
Greets,
Jeroen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 311 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061023/9424284f/attachment-0002.pgp>
More information about the general
mailing list