Jim Reid wrote:
On Oct 20, 2008, at 17:55, Dmitry Burkov wrote:
for me the issue - as I wrote in previous email to Joao - it is how it can be used in software in future.
I'm not sure I understand the question Dima. DNSSEC is an enabling technology because it gives new opportunities (and challenges) to developers. If data from the DNS can be verified, that opens up all sorts of possibilities.
One technical question that could be asked here is "what happens when idiot developers embed the root key in an embedded system (say) and then the root key changes?". Is that what you're asking about?
Jim, I hope that you remember laws of Murphy and Peter... or if it can happen it will happen and so on...
Depending on this - it can be critical.
Second point - how it will be used for .arpa
See above. We already have some (limited) experience here with the NCC's efforts to sign parts of the reverse tree.
the same problem will increase
Third point (not related to DNS - sorry - but simular problem) - sidr and it's deployment.
I think it's unwise to link these. Though I suppose a signed part of the DNS name space would make it a whole lot easier to lookup and verify (secure) routing announcements.
But sidr deployed will raise more issue as potential "red button". I want to return to your previous example with .ru. I don't think that it could really happen with .ru - but I can easily can imagine this situation with some other country. But when some probability exists I personally worry - as we can create potentially dangerous tool with the best intentions. When in our world services for citizens more and more depends on Internet - I really worry about principal changes in Internet architecture. If before we defacto have a system which was depended on more techies - person and professional-based responsibility - in future we can get more automated system which will lose this previous basement and can become a weapon in hands of politicals. Dima