Sender: |
|
X-To: |
|
Date: |
Tue, 27 Oct 2009 21:16:12 +0300 |
Reply-To: |
|
Subject: |
|
From: |
|
In-Reply-To: |
|
Content-Type: |
text/plain; charset=ISO-8859-1 |
MIME-Version: |
1.0 |
Parts/Attachments: |
|
|
On Tue, Oct 27, 2009 at 6:26 PM, Milton L Mueller <[log in to unmask]> wrote:
> ________________________________________
> From: Jorge Amodio [[log in to unmask]]
>
>>DNSSEC is not a magic solution and it's only one of the tools to start building
>>a more secure infrastructure, and as McTim said just signing the TLDs don't
>>do it, since the "chain of trust" starts from the root.
>
> It doesn't have to start from the root. There can be a Trust Anchor Repository instead.
TARs are a temporary, non-scalable measure. One key is easier to
configure, rollover, etc. Managing multiple keys (dozens or
hundreds?) would not be workable. The design of DNSSEC is a chain of
trust, followed from the root on down, hence one key.
--
Cheers,
McTim
"A name indicates what we seek. An address indicates where it is. A
route indicates how we get there." Jon Postel
|
|
|