Re: IAB statement on the RPKI.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Martin Rex wrote:
DNSsec, as far as I can see, does not use a PKI in the traditional
sense.  There are _NO_ persons involved in the process,
I can see some... ;)

Any operation which is placed out-of-band of DNSSec requires some trusted manual intervention.

Just for example:

First person - zone administrator who manually creates KSK pair and, private part of it in secure place and ensure that no unauthorized use of it is probalbe.

Second person - the administrator of upper zone, who receives DS record from lower zone, manually ensures that it came from authorized source and decides to place it in the zone file.

Lot of persons (all resolvers administrators) - who should manually change the root zone KSK, when rollover occurs, manually ensuring beforehand that new KSK has came from authorized source.

Yes, the plain X.509 certificates are not used in DNSSec, but the overall system design is the PKI-style.

dol@

_______________________________________________
Ietf mailing list
Ietf@xxxxxxxx
https://www.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]