Actually it does buy us some trust but as the roots aren't signed it's fairly moot. On 21/11/2009, Nigel Jones <dev@xxxxxxxxxx> wrote: > At the moment? Nothing. > > On 21/11/2009, Mike McGrath <mmcgrath@xxxxxxxxxx> wrote: >> On Fri, 20 Nov 2009, Jeffrey Ollie wrote: >> >>> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> >>> wrote: >>> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote: >>> > >>> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath@xxxxxxxxxx> >>> >> wrote: >>> >> > >>> >> > So, for example 'fedoraproject.org' wouldn't be signed, but >>> >> > 'us.fedoraproject.org' would be? I *think* that's possible but I >>> >> > haven't >>> >> > gotten it to work. If I can get that to work though I guess that >>> >> > makes >>> >> > sense because A) it'd work for now and B) I'm sure over time pdns's >>> >> > dnssec >>> >> > will continue to mature. >>> >> >>> >> No, that wouldn't really work, because then you couldn't trust >>> >> lookups >>> >> from the fedoraproject.org zone, which would include delegations to >>> >> the subdomains, the main website itself, MX records, etc. >>> >> >>> > >>> > But if fedoraproject.org pointed to some place that wasn't signed or >>> > was >>> > signed incorrectly, wouldn't that fail? >>> >>> fedoraproject.org can't be a CNAME because it has other records like >>> MX, NS, SOA, etc. We'd have to switch to using >>> 'www.fedoraproject.org' which could be a CNAME into an unsigned >>> subzone. >>> >>> But then you'd still have the problem of relying on an unsigned zone >>> serving up DNS data, eventually no one is going to trust it. >>> >> >> At this very moment, what is dnssec buying us? >> >> -Mike > > -- > Sent from my mobile device > > -- Nigel Jones > -- Sent from my mobile device -- Nigel Jones _______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
