On Tue, 2 Jun 2009, Masataka Ohta wrote:
For my domain: "necom830.hpcl.titech.ac.jp", hierarechy of zones have hops of ".", "jp", "ac.jp", "titech.ac.jp" and "hpcl.titech.ac.jp". The authority hops are IANA, JPNIC, my university, and my lab. Though you may have direct relationship with IANA, JPNIC is the third party for both you and me.
Yes, security of DNSSEC is totally hop by hop.
Just as DNS was designed to work. hierarchical. If you want to add additional protection because you don't trust your parents, no one stops you from using a DNSSEC capable resolver that has DNSSEC zones configured directly, without relying on the parent. I can't preload 50 million keys. I cannot build trust relations with 50 millions domains. Just like we could not preload 50 million nameserver pointers. Hierarchy is the strength of DNS, not its weakness. DNSSEC allows you to specifically bypass the hierarchy for whatever zone you want. The only real question is, how does Masataka Ohta scale? My suspicion is that you don't scale to 50M domains, and that you will be forced to outsource some of that trust. DNSSEC does the outsourcing of trust distributed to the same people who are already responsible for the data you're about to trust. And note that even if you scale to 50M domains, I don't, so don't expect me to setup a trust relationship with you specifically. Paul _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf