North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: America takes over DNS
On Mon, Apr 02, 2007 at 07:45:08AM -0700, David Conrad wrote: > > Hi, > > >Wouldn't the holder of these keys be the only ones able to spoof > >DNSSEC? > > Yes. This is an assumption of DNSSEC, regardless of who signs the > root. The implication of this (and the fact that emergency key > rollover requires everyone on the planet with a validating resolver > to update the root trust key manually) is that protecting the root > key signing key is a bit important. > > Rgds, > -drc one important attribute of key roll would seem to be the lack of a "flag-day". ... there are at least a couple of proposals that mitigate that particular risk. --bill
|