Joe Baptista writes:
DNSSEC indeed violates the end to end principle. It's simply that simple.
And it asks us to put our trust in the root a.k.a. ICANN. I don't think
governments world wide are going to put their trust and faith in ICANN. The
U.S. Government is the only government that has been bamboozled into
adopting DNSSEC into .gov infrastructure.
I wonder how President Obama would feel about handing over the keys to U.S.
Government infrastructure to a U.S. contractor. I'd have trouble sleeping
at night if that was the case.
I've addressed this at length in my comments to the NTIA.
If the U.S. government wants DNSSEC today then it must nationalize the
roots. I don't even trust Vixie with the root. I remember when he hijacked
the root with Postel. Or as they put it "we were only running an
In any case the new infrastructure campaign demands U.S. government roots be
set up to exclusively serve U.S. network infrastructure.
p.s. If you want to secure the DNS end to end - think DNSCurve - not DNSSEC.
DNSCurve has exactly the same trust issues as DNSSEC does.
You are trusting the parent to give you a secure introduction
to the child. The introduction is just encoded differently.
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka(_at_)isc(_dot_)org
Ietf mailing list