[dns-operations] renesys blog: Identity Theft Hits the Root Name Servers

Edward Lewis Ed.Lewis at neustar.biz
Wed May 21 17:44:12 UTC 2008

At 17:26 +0100 5/21/08, Tony Finch wrote:
>On Wed, 21 May 2008, Edward Lewis wrote:
>>  Assuming that the change of an address is a rare event, we measure
>>  the the "mean time between events" in years (not months).  This time
>>  will likely be longer than the lifetime of any public key with the
>>  importance of "protecting" the root zone or root hints.
>I'm not sure that's right. The lifetime of X.509 certificates embedded in
>browsers is very long - 25 years for Thawte, 30-40 years for Verisign,

In that case, maybe there's a chance of leveraging that.  But, tying 
back to the suggestion of DNSSEC, DNSSEC doesn't use certificates. 
Maybe the solution search space (to the problem of protecting the 
root zone) has been too narrow, perhaps "serious" PKI armor is needed.
Edward Lewis                                                +1-571-434-5468

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list