Archive for October, 2008

Choosing VeriSign now means VeriSign signs forever

Friday, October 31st, 2008

It comes down to who performs the routine daily signings – VeriSign or ICANN in its performance of the IANA function.  If signing is done as part of the IANA function, it can be moved to different organizations if need be and as part of the IANA function is subject to IETF/IAB authority as well.  If VeriSign does it, it is at the complete discretion of the US Department of Commerce/NTIA and unlikely to ever be moved.   So choosing VeriSign now locks us into a long term future of USG DNSSEC control.

Duh: For DNSSEC to be trusted, the only org that can sign a TLD operator’s keys is the org that “knows” them.

Thursday, October 23rd, 2008

I dont even know why this is a question.  This is so simple.  The operator of the IANA function whose job it is to maintain close relationships with the worlds TLD operators is the only one that can fully attest to the validity of their DS records (in the face of both psychological and technical attacks).  So they are the only ones that could sign it with the root ZSK.  This is so simple … and secure and stable.