Martin Rex wrote:
DNSsec, as far as I can see, does not use a PKI in the traditional
sense. There are _NO_ persons involved in the process,
I can see some... ;)
Any operation which is placed out-of-band of DNSSec requires some
trusted manual intervention.
Just for example:
First person - zone administrator who manually creates KSK pair and,
private part of it in secure place and ensure that no unauthorized use
of it is probalbe.
Second person - the administrator of upper zone, who receives DS record
from lower zone, manually ensures that it came from authorized source
and decides to place it in the zone file.
Lot of persons (all resolvers administrators) - who should manually
change the root zone KSK, when rollover occurs, manually ensuring
beforehand that new KSK has came from authorized source.
Yes, the plain X.509 certificates are not used in DNSSec, but the
overall system design is the PKI-style.
Ietf mailing list