DNSSEC - does it exist?
Alaric Dailey
alaricdailey at hotmail.com
Mon Oct 23 14:56:30 UTC 2006
DNSSEC does exist, you can implement it right now, but NOT with a windows
DNS server. Currently I know of NO CA that will create keys for DNSSEC.
Currently you create your own keys thusly
http://www.ripe.net/disi/dnssec_howto/#creakey
And publish the public key portion via DNS. So to answer your question, for
now, YOU sign your DNS.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Chris Drake
Sent: Monday, October 23, 2006 5:36 AM
To: general at openid.net
Subject: DNSSEC - does it exist?
Hi,
DNSSEC has been mentioned a few times. It seems to be a way for
authoritative servers to digitally sign DNS replies - with the intent that
client resolvers check signatures - including (as far as I can
tell) the whole chain up to the "root" zone.
What I can't find is any obvious mention of who the root is, nor how I'd get
my keys "signed" by them, nor how a client resolver (eg: a potential victims
Windows XP box) might install a root key - which leads me to believe there's
no DNSSEC root authorities yet, and thus this protocol doesn't exist.
Am I wrong? (I hope so!!! - and if I am - where/how do I submit my DNSSEC
CSR? - this is a really cool idea)
Kind Regards,
Chris Drake
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list