[EURO-Discuss] ALAC-WG on DNSSEC

Patrick Vande Walle patrick at vande-walle.eu
Sun Aug 31 11:52:13 EDT 2008 

Lutz Donnerhacke wrote:

>>From the AtLarge point of view, I prefer a multiple signing key concept: You
> can trust the key holders you like. So if the DOD has one set of root keys,
> the company Verisign has a second, and other organisations has even other
> keys, no single party is able to modify the relevant entries without asking
> for signing all other parties. In the case of short term modifications, the
> missing signatures from the other parties will detect the modifications as
> an attack to the system.

Indeed, this is the way to go.

>>> I run a signed root since more than two years in production environments
>>> (for ~15000 people) and one of the largest DLVs.

>> Where can we get and test it?
> 
> Simply do it. Documentation can be found on my companies website. Please
> search yourself. I'll not promote it.

Signing the root zone on your own does not add any value to the process.
 OK, you trust yourself. Most people do trust themselves. Most people
usually do not trust others, unless they are given a good reason to. The
real challenge is to have the root signed by some entity(ies) that
inspire trust to everyone. This is a layer 9 issue.

> That's FUD, too. The root zone is signed by IANA. I'll see this version
> procutive on the meeting in Cairo. That's all.

The root zone on ns.iana.org has indeed been signed. But as David Conrad
explained, it is a test, not meant for production.

>> 1) on the Unbound mailing list:  (the DNS software by NLnet Labs, 
>> sponsored by Nominet and Verisign):
> 
> That's FUD. NLNetlab is not sponsored by Nominet nor Verisign.
> NLNetlab produces the leading DNSSEC software and testbeds.

Unbound was developed based on Java prototype sponsored by Verisign,
Nominet and others. NLNet Labs did the C implementation. So, if it may
be correct that VRSN and Nominet do not directly fund NLNet Labs, at
least they suggested to develop and alternative to Bind. While I am
generally the first to bash VSRN, I must say that I am forever thankful
to them for this.

> I voluteered to provide a DNSSEC track for the summit. User oriented
> material has to produced for this event. Currently the documentation is most
> readable in the RFCs. The websites out there are wracky.

DNSSEC suffers the same issue as IPv6 that prevents wide deployment. We
cannot just assume that the overworked sysadmin in your average SME is
ready to go through hundreds of pages of technical documents. Give him a
simple GUI in Windows/Linux/Solaris/whatever. Key generation, rollover,
etc is just something the user should not have to worry about. A single
checkbox should be enough.

-- 
Patrick Vande Walle
Check my blog: http://patrick.vande-walle.eu

More information about the EURO-Discuss mailing list