[afnog] first signed root zone

Bill Woodcock woody at pch.net
Fri Jul 16 08:46:04 UTC 2010


Actually, the value of DNSsec is that the signature is over the _data_ in the zone, not just your connection to any one server.  So the data you get from the Nairobi root server is now signed, as is that from all other root servers, regardless of location.

Once a zone is signed, security no longer depends upon a transitive trust relationship between the user, the recursive server, the authoritative server, and the administrator of the zone... The zone administrator's signature can be verified by the end user, regardless of how they got the data or who may have been inbetween. 

The down-side is that it makes the zone much larger, so nameservers take a lot more bandwidth to host, but that's not much of an issue with the root, which is a very small zone, only a few hundred records, to begin with.  And .ORG, the largest zone to be signed so far, has already been operating in Nairobi for the better part of two years. 

                   -Bill


    -Bill

-----Original Message-----
From: Walubengo J <jwalu at yahoo.com>
Sender: afnog-bounces at afnog.org
Date: Fri, 16 Jul 2010 01:01:04 
To: <afnog at afnog.org>; ALAIN AINA<aalain at trstech.net>
Subject: Re: [afnog] first signed root zone

_______________________________________________
afnog mailing list
http://afnog.org/mailman/listinfo/afnog


More information about the afnog mailing list