[dns-operations] Online DNSSEC debugging tool now availalbe

bmanning at vacation.karoshi.com bmanning at vacation.karoshi.com
Mon Jul 19 18:44:51 UTC 2010

On Mon, Jul 19, 2010 at 01:40:25PM -0400, Andrew Sullivan wrote:
> On Mon, Jul 19, 2010 at 05:35:36PM +0000, bmanning at vacation.karoshi.com wrote:
> > > Because .org rolled their key, changed the DS in ., and didn't publish
> > > a new TA?
> > 
> > 
> > 	sounds irresponsible to me. 
> Thanks.  You have now illustrated the argument about why it was not
> obvious whether to put the DS into the root for .org, given that .org
> made their plans about signing &c. long before it was clear that the
> root would be signed.

	if an entity changes its crypto keys and only tells -some- of the
	parties who use it, that seems irresponsible to me.  the specifics
	of .org are outside my current understanding.

> > 	Do you want to hang your corporate success on a third party?
> I'm afraid that, if you do business on the Internet using the DNS
> today, you already do even if you don't like it.  (As a matter of
> historical fact, I would argue that this was always true even before
> the Internet.  "He who is unable to live in society, or who has no
> need because he is sufficient for himself, must be either a beast or a
> god.")

	the question of liability emerges. if one does business on 
	the Internet and the unexpected happens, who ends up with the
	financial/legal liabilty?  For many, the business is conducted
	via a non-Internet channel, e.g. a credit card issuer.  And most
	CC issuers have some form of fraud protetion that is not linked
	to Internet-specific transactions.  

	I can't (yet) see DNSSEC validated lookups mitigating any of the
	existing liability, in fact I see it increasing liability exposure.
	But thats just me.

	"Ray, when someone asks you if you're a god, you  say "YES"
				- Winston Zeddemore
> A
> -- 
> Andrew Sullivan
> ajs at shinkuro.com
> Shinkuro, Inc.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list