Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 20 Feb 2001 00:27:01 -0500 (EST)
From:      Robert Watson <rwatson@freebsd.org>
To:        Dan Peterson <danp@danp.net>
Cc:        arch@freebsd.org
Subject:   Re: DJBDNS vs. BIND
Message-ID:  <Pine.NEB.3.96L.1010220002201.5329D-100000@fledge.watson.org>
In-Reply-To: <20010219104338.B98114@danp.net>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Mon, 19 Feb 2001, Dan Peterson wrote:

> > Name servers are welcome to implement whatever certification process
> > they'd like: it doesn't have to include the DNS root, it's welcome to
> > include peers, etc. Many people are critical of the DNSsec root model, but
> > you're not forced to use that.
> 
> If it doesn't start at the roots, what good is it? Sure, you can make
> sure records within your own zones are "secure," but that's pretty much
> a given anyway. What about results from recursive queries to the
> Internet? DNSSEC is meaningless unless it goes from the roots up. 

A number of potential consumers of DNSsec are far more interested in
non-root use that root-use.  For example, in .mil and other large domains,
the ability to secure between components of the organization is very
useful.  A number of companies and organizations are also interested in
peer-based key sharing, where they introduce bounded trust for the peer's
key to sign the peer's zone, which can then be used to key network and
application layer security services between arbitrary hosts in the domain
pair.  Many managers of large-scale distributed systems would love a
scalable, distributed keying infrastructure--the DNSsec-enabled OpenSSH
client is very useful :-).  Even with a certification service starting at
the root, such alternative models would still be very useful.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010220002201.5329D-100000>