On Tue, 2 Jun 2009, Masataka Ohta wrote:
For my domain: "necom830.hpcl.titech.ac.jp", hierarechy of zones
have hops of ".", "jp", "ac.jp", "titech.ac.jp" and
"hpcl.titech.ac.jp". The authority hops are IANA, JPNIC, my
university, and my lab. Though you may have direct relationship
with IANA, JPNIC is the third party for both you and me.
Yes, security of DNSSEC is totally hop by hop.
Just as DNS was designed to work. hierarchical. If you want to
add additional protection because you don't trust your parents,
no one stops you from using a DNSSEC capable resolver that has
DNSSEC zones configured directly, without relying on the parent.
I can't preload 50 million keys. I cannot build trust relations
with 50 millions domains. Just like we could not preload 50
million nameserver pointers.
Hierarchy is the strength of DNS, not its weakness. DNSSEC allows
you to specifically bypass the hierarchy for whatever zone you
want. The only real question is, how does Masataka Ohta scale?
My suspicion is that you don't scale to 50M domains, and that
you will be forced to outsource some of that trust. DNSSEC
does the outsourcing of trust distributed to the same people
who are already responsible for the data you're about to trust.
And note that even if you scale to 50M domains, I don't, so don't expect
me to setup a trust relationship with you specifically.
Paul
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg