DNSSEC - does it exist?
James A. Donald
jamesd at echeque.com
Tue Oct 24 02:40:10 UTC 2006
Alaric Dailey wrote:
> DNSSEC does exist, you can implement it right now, but
> NOT with a windows DNS server. Currently I know of NO
> CA that will create keys for DNSSEC. Currently you
> create your own keys thusly
>
> http://www.ripe.net/disi/dnssec_howto/#creakey
>
> And publish the public key portion via DNS. So to
> answer your question, for now, YOU sign your DNS.
Since domain names should be globally unique and
somewhat human readable, they require a somewhat
centralized name allocation system. If this system is
to be backed by public keys, then most well known top
level domains have to have a well known master root key,
and the particular domain keys for particular domains
need to be linked by a chain of certificates to the root
key of their top level domain. We do not have this, so
it really does not work.
DNSSEC cannot really be said to exist until there are
well known master root public keys for most well known
top level domains.
Nor, indeed, is there any real prospect that we will
have this. If IANA is incapable of issuing a new top
level domain, they are unlikely to be able to issue top
level master root keys either.
Internet governance was based on the concept that small
cabal of experts would gather around a coffee table,
decide what must be done, then do it, after finishing
off the coffee. As the internet has grown larger, this
system has broken down. In its place we need norms that
enable people to get things done, to make changes, in an
environment where there can neither be consensus on what
should be done, nor a central authority to lay down the
law.
More information about the general
mailing list