DNSSEC is not a PKI. There are no CAs and no X.509 certificates. It's a chain of trust that can be validated using public/private key pairs. OK, that's oversimplification but you get the idea. While we wait for applications to become DNSSEC-aware, if your local DNS server can be trusted (a big "if" of course) then it can proxy the DNSSEC awareness for you. Since nearly everybody trusts a local DNS server to resolve queries, then making that server DNSSEC aware is an enormous step forward, even if the actual applications and operating systems on end-user computers are not fully DNSSEC-aware and won't be for many years to come. Marc -----Original Message----- From: Florian Weimer [mailto:fweimer@bfk.de] Sent: Monday, September 22, 2008 11:10 AM To: Colin Alston Cc: nanog@nanog.org Subject: Re: hat tip to .gov hostmasters * Colin Alston:
Correct, you need a validating, security-aware stub resolver, or the ISP needs to validate the records for you.
In public space like .com, don't you need some kind of central trustworthy CA?
No, why would you? You need to trust the zone operator, and you need some trustworthy channel to exchange trust anchors at one point in time (a significant improvement compared to classic DNS, where you need a trustworthy channel all the time). -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99