DNS Scaling issues
McTim
mctim at BUSHNET.NET
Tue Oct 27 19:16:12 CET 2009
On Tue, Oct 27, 2009 at 6:26 PM, Milton L Mueller <mueller at syr.edu> wrote:
> ________________________________________
> From: Jorge Amodio [jmamodio at gmail.com]
>
>>DNSSEC is not a magic solution and it's only one of the tools to start building
>>a more secure infrastructure, and as McTim said just signing the TLDs don't
>>do it, since the "chain of trust" starts from the root.
>
> It doesn't have to start from the root. There can be a Trust Anchor Repository instead.
TARs are a temporary, non-scalable measure. One key is easier to
configure, rollover, etc. Managing multiple keys (dozens or
hundreds?) would not be workable. The design of DNSSEC is a chain of
trust, followed from the root on down, hence one key.
--
Cheers,
McTim
"A name indicates what we seek. An address indicates where it is. A
route indicates how we get there." Jon Postel
More information about the Ncuc-discuss
mailing list