RE: hat tip to .gov hostmasters

[<marcus.sachs () verizon com>]

DNSSEC is not a PKI.  There are no CAs and no X.509 certificates.  It's a chain of trust that can be validated using 
public/private key pairs.  OK, that's oversimplification but you get the idea.

While we wait for applications to become DNSSEC-aware, if your local DNS server can be trusted (a big "if" of course) 
then it can proxy the DNSSEC awareness for you.  Since nearly everybody trusts a local DNS server to resolve queries, 
then making that server DNSSEC aware is an enormous step forward, even if the actual applications and operating systems 
on end-user computers are not fully DNSSEC-aware and won't be for many years to come.

Marc

-----Original Message-----
From: Florian Weimer [mailto:fweimer () bfk de] 
Sent: Monday, September 22, 2008 11:10 AM
To: Colin Alston
Cc: nanog () nanog org
Subject: Re: hat tip to .gov hostmasters

* Colin Alston:

> > Correct, you need a validating, security-aware stub resolver, or the
> > ISP needs to validate the records for you.

> In public space like .com, don't you need some kind of central
> trustworthy CA?

No, why would you?  You need to trust the zone operator, and you need
some trustworthy channel to exchange trust anchors at one point in
time (a significant improvement compared to classic DNS, where you
need a trustworthy channel all the time).

-- 
Florian Weimer                <fweimer () bfk de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99