That was not my question. My question was
What assurance features or mechanisms are going to be used
throughout the DNS that will make all of us trust all of
those servers for all of our applications?
It doesn't matter. You take the certificate you get back from the
server and do a cryptographic check back to the root key. That is a
known problem (How do you trust a key that someone sends to you in the
mail anyways? Same method!)
The biggest problem, currently, is getting DNS to deliver such large
pieces of data. That seems to be the more pressing problem. We
solved certificate verification in the creation of certificates.
-derek
Derek Atkins, SB '93 MIT EE, G MIT Media Laboratory
Secretary, MIT Student Information Processing Board (SIPB)
warlord(_at_)MIT(_dot_)EDU PP-ASEL N1NWH