From owner-freebsd-arch Mon Feb 19 21:27: 7 2001 Delivered-To: freebsd-arch@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7C32D37B401 for ; Mon, 19 Feb 2001 21:27:03 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f1K5R1h05838; Tue, 20 Feb 2001 00:27:01 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Tue, 20 Feb 2001 00:27:01 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Dan Peterson Cc: arch@freebsd.org Subject: Re: DJBDNS vs. BIND In-Reply-To: <20010219104338.B98114@danp.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 19 Feb 2001, Dan Peterson wrote: > > Name servers are welcome to implement whatever certification process > > they'd like: it doesn't have to include the DNS root, it's welcome to > > include peers, etc. Many people are critical of the DNSsec root model, but > > you're not forced to use that. > > If it doesn't start at the roots, what good is it? Sure, you can make > sure records within your own zones are "secure," but that's pretty much > a given anyway. What about results from recursive queries to the > Internet? DNSSEC is meaningless unless it goes from the roots up. A number of potential consumers of DNSsec are far more interested in non-root use that root-use. For example, in .mil and other large domains, the ability to secure between components of the organization is very useful. A number of companies and organizations are also interested in peer-based key sharing, where they introduce bounded trust for the peer's key to sign the peer's zone, which can then be used to key network and application layer security services between arbitrary hosts in the domain pair. Many managers of large-scale distributed systems would love a scalable, distributed keying infrastructure--the DNSsec-enabled OpenSSH client is very useful :-). Even with a certification service starting at the root, such alternative models would still be very useful. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message