DNSSEC - does it exist?
James A. Donald
jamesd at echeque.com
Mon Oct 23 23:18:33 UTC 2006
Chris Drake wrote:
> Hi,
>
> DNSSEC has been mentioned a few times. It seems to be
> a way for authoritative servers to digitally sign DNS
> replies - with the intent that client resolvers check
> signatures - including (as far as I can tell) the
> whole chain up to the "root" zone.
>
> What I can't find is any obvious mention of who the
> root is, nor how I'd get my keys "signed" by them, nor
> how a client resolver (eg: a potential victims Windows
> XP box) might install a root key - which leads me to
> believe there's no DNSSEC root authorities yet, and
> thus this protocol doesn't exist.
DNSSEC exists in the sense that it is officially blessed
IETF protocol, and in that almost every copy of BIND in
actual use supports it.
DNSSEC does not exist in the sense that it is
dysfunctional, that it is not used except for a few
complicated special cases, that for the most part it
cannot be used. Its existence as an IETF standard is an
irrelevant ghost of existence since the IETF and IANA
are moribund and have been moribund for some years - as
demonstrated by the inability of IANA to issue the .sex
and .porn top level domains, the unbearable stupidity of
IPsec, and the living dead status of IPv6. DNSSEC is
even less existent than IPv6
More information about the general
mailing list