[dns-operations] will germany therefore make dnssec illegal on their shores?

[Peter Koch]

On Fri, Jun 19, 2009 at 11:27:09AM +0200, Stefan Schmidt wrote:

> This is exactly the question i will ask at the "DNSSEC Testbed for Germany"
> event 2nd of July in Frankfurt am Main.
> -> http://www.denic.de/en/domains/dnssec/dnssectestbed.html

thanks for pointing to this event.

> Note that BSI - Germany's Federal Office for Information Security -
> currently urges for a .de DNSSEC rollout in 2010.

That may be true, but what is really upcoming is a testbed within 2010
only after which a decision w.r.t. deployment is scheduled to be made.

And as I've said before and also as Otmar has pointed out, there's little
incompatibility between DNSSEC and government enhanced DNS responses.
Only in those cases where the client side validator relies upon the ISP's
resolving infrastructure the validation would fail and the "redirection"
wouldn't work.  Still the target would remain unresolvable.  In no way does
this solve the schizophrenia of protecting the infrastructure from bad
forgery while not tampering with "good" forgery.

-Peter