In message <p06240803c65430cf6e92@[10.10.10.117]>, Stephen Kent writes: > Joe, > > You have argued that DNSSEC is not viable because it requires that > everyone adopt IANA as the common root. Which isn't even a requirement. Alternate root providers just need to get copy of the root zone with DS records and sign it with their own DNSKEY records for the root. ISP's that choose to use alternate roots might get complaints however from their customers if they are validating the answers using the trust-anchors provided by IANA. This however should be seen as a good thing as the ISP can no longer tamper with the DNS without being detected. If a ISP can convince all their customers that the alternate roots are a good thing then this won't become a issue. > I agree that under the > current IANA management situation many folks may be uncomfortable > with IANA as the root. However, in practice, the world has lived > with IANA as the root for the non-secure version of DNS for a long > time, so it's not clear that a singly-rooted DNSSEC is not viable > based on this one concern. Moreover, DNSSEC is a form of PKI, an din > ANY PKI, it is up to the relying parties to select the trust anchors > they recognize. In a hierarchic system like DNS, the easiest > approach is to adopt a single TA, the DNS root. But, it is still > possible for a relying party to do more work and select multiple > points as TAs. I would expect military organizations in various parts > of the world to adopt a locally-managed TA store model for DNSSEC, to > address this concern. However the vast majority of Internet users > probably are best served by the single TA model. > > As for DNSCurve, I agree with the comments that several others have > made, i.e., it doe snot provide the fundamental security one wants in > DNS, i.e., an ability to verify the integrity and authenticity of > records as attested to by authoritative domains, din the face of > caching. > > > Steve > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf