[dns-operations] Key management and computer "mere mortals" (was: .Org DNSSEC key management policy feedback)

Michael Monnerie michael.monnerie at is.it-management.at
Wed Jun 24 13:35:45 UTC 2009

On Mittwoch 24 Juni 2009 Andrew Sullivan wrote:
> I cannot believe, however, that a group of people as smart and
> knowledgable as those I know to be working on this problem will be
> unable to come up with a solution to it.  There are, in fact, already
> some very fetching proposals available, and I think we can build on
> those to make DNSSEC safe for mere mortals.  But we first have to
> commit to that operational goal.


Currently DNS requires almost no maintenance, while for DNSSEC you'd 
require tons of test tools who constantly monitor everything, and in 
case of an error you manually need to do things that are not to-be-done 
by the average admin, you'd need a real DNSSEC admin.

The tools (bind,...) must be installable similar to now, and run alone 
until a really bad thing happens, and then it must be easily clear what 
to do. Everything else will let DNSSEC in the "geek tool" corner for the 
next ten years, or until some better-than-Kaminsky attack is found.

mfg zmi
// Michael Monnerie, Ing.BSc    -----      http://it-management.at
// Tel: 0660 / 415 65 31                      .network.your.ideas.
// PGP Key:         "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net                  Key-ID: 1C1209B4

More information about the dns-operations mailing list