North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: DNSSEC in Plain English

  • From: Michael.Dillon
  • Date: Thu Jun 15 06:11:15 2006

> but it ain't the crypto.  never has been.  and it is not always
> easy to explain math in plain english.  so let's focus on where
> work needs to be done.

You and I are in violent agreement. The problem is
in understanding whether or not the crypto under the
hood really does provide a TRUSTABLE system. And that
is more to do with policies and procedures. This is
the stuff that I don't see explained in plain English
so that the decision makers who rely on DNS can
make a decision on DNSSEC.

Ed Lewis pointed out two presentations which
he claims have no crypto. However his own
presentation at Apricot is laced with technical
jargon including crypto. Stuff like "hierarchy
of public keys", "DNSSEC data", "hash of the DNSKEY",
"certificates", and so on. This is fine for a
technical audience but it won't help explain the
issue to the decision makers who spend the money.

I understand how the crypto works to the extent
that I believe it is technically possible for
something like DNSSEC to work. However, I don't
see an explanation of the policies and procedures
that convinvces me that it DNSSEC really does work.
The history of crypto-based security is filled
with flawed implementations.

--Michael Dillon


--Michael Dillon