Joe,
You have argued that DNSSEC is not viable because it requires that
everyone adopt IANA as the common root. I agree that under the
current IANA management situation many folks may be uncomfortable
with IANA as the root. However, in practice, the world has lived
with IANA as the root for the non-secure version of DNS for a long
time, so it's not clear that a singly-rooted DNSSEC is not viable
based on this one concern. Moreover, DNSSEC is a form of PKI, an din
ANY PKI, it is up to the relying parties to select the trust anchors
they recognize. In a hierarchic system like DNS, the easiest
approach is to adopt a single TA, the DNS root. But, it is still
possible for a relying party to do more work and select multiple
points as TAs. I would expect military organizations in various parts
of the world to adopt a locally-managed TA store model for DNSSEC, to
address this concern. However the vast majority of Internet users
probably are best served by the single TA model.
As for DNSCurve, I agree with the comments that several others have
made, i.e., it doe snot provide the fundamental security one wants in
DNS, i.e., an ability to verify the integrity and authenticity of
records as attested to by authoritative domains, din the face of
caching.
Steve
_______________________________________________
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf