[dns-operations] Key management and computer "mere mortals" (was: .Org DNSSEC key management policy feedback)
Michael Monnerie
michael.monnerie at is.it-management.at
Wed Jun 24 13:35:45 UTC 2009
On Mittwoch 24 Juni 2009 Andrew Sullivan wrote:
> I cannot believe, however, that a group of people as smart and
> knowledgable as those I know to be working on this problem will be
> unable to come up with a solution to it. There are, in fact, already
> some very fetching proposals available, and I think we can build on
> those to make DNSSEC safe for mere mortals. But we first have to
> commit to that operational goal.
+1
Currently DNS requires almost no maintenance, while for DNSSEC you'd
require tons of test tools who constantly monitor everything, and in
case of an error you manually need to do things that are not to-be-done
by the average admin, you'd need a real DNSSEC admin.
The tools (bind,...) must be installable similar to now, and run alone
until a really bad thing happens, and then it must be easily clear what
to do. Everything else will let DNSSEC in the "geek tool" corner for the
next ten years, or until some better-than-Kaminsky attack is found.
mfg zmi
--
// Michael Monnerie, Ing.BSc ----- http://it-management.at
// Tel: 0660 / 415 65 31 .network.your.ideas.
// PGP Key: "curl -s http://zmi.at/zmi.asc | gpg --import"
// Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4
More information about the dns-operations
mailing list