<div dir="ltr"><br><br><div class="gmail_quote">On Wed, Sep 3, 2008 at 12:30 PM, John Curran <span dir="ltr"><<a href="mailto:jcurran@istaff.org">jcurran@istaff.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div style=""><div>Mr. Mitchell - </div><div> </div><div> While perhaps not the ideal place, asking the PPML mailing list certainly works.</div><div><br></div><div> The topic has not been discussed at before the ARIN membership, but the ARIN </div>
<div> Board has discussed this topic and has directed staff to make those preparations </div><div> necessary for signing those reverse zones contained in-addr records for space </div><div> under ARIN's administration. Note that the actual effectiveness in security that</div>
<div> results is rather limited until both .arpa and the DNS root zone are also signed.</div></div></blockquote><div><br>I think the U.S. Government should be congratulated on its use of DNSSEC to secure the zone. It's a bold experiment, if not an act of faith to use the USG .gov to test an untested experimental protocol. Tip of my hat to you all on that.<br>
<br>But I nor the world is convinced we want to be a part of it. First imho DNSSEC is a colossal fraud. 1) It does nothing to secure the DNS (any kiddie with a bot net can crack it - so can governments, military and large corporations that have the resources to do it), 2) it remains vulnerable to man in the middle attacks, and 3) incurs significant costs on infrastructure maintenance.<br>
<br>But the most repulsive aspects of DNSSEC is what I suspect is its true purpose is to take over control of the technical function of root. The whole scheme is based on chains of trust up the dns tree right to the root that has full control over the signatures. This is a lot of power to give to the gruesome thirteen. <br>
<br> <a href="http://www.root-servers.org/">http://www.root-servers.org/</a><br><br>Obviously the U.S. Government trusts these people to run the root. I do not. Neither does the Chinese Government or any government that has been properly briefed on the control aspects behind DNSSEC.<br>
<br>Stu if I may make a presumptive suggestion. When your boys at the USG figure out DNSSEC is not up to snuff in the security department may I suggest you start today investigating the operation of a secure system using the following technology:<br>
<br> <a href="http://dnscurve.org/">http://dnscurve.org/</a><br><br>I've also included some slide show documentation for you to read on it.<br><br>enjoy<br>joe baptista<br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div style=""><div><div class="Wj3C7c"><br><div><div>On Sep 3, 2008, at 11:01 AM, <a href="mailto:Stu_Mitchell@ios.doi.gov" target="_blank">Stu_Mitchell@ios.doi.gov</a> wrote:</div><br><blockquote type="cite"><br><font face="sans-serif" size="2">Hello,</font> <br>
<br><font face="sans-serif" size="2">Pardon me, if this isn't the right place to ask....</font> <br> <br><font face="sans-serif" size="2">OMB issued OMB memo 08-23, which requires federal agencies to deploy DNSSEC to the second level domains under "dot gov" by December 2009. I was wondering about the reverse records. Are there plans to sign the reverse domains?</font> <br>
<br><font face="sans-serif" size="2">Thanks</font> <br> <br><font face="sans-serif" size="2">Stu Mitchell</font> <br><font face="sans-serif" size="2">Dept. of the Interior</font></blockquote></div></div></div></div><br></blockquote>
</div><br clear="all"><br>-- <br>Joe Baptista<br><a href="http://www.publicroot.org">www.publicroot.org</a><br>PublicRoot Consortium<br>----------------------------------------------------------------<br>The future of the Internet is Open, Transparent, Inclusive, Representative & Accountable to the Internet community @large.<br>
----------------------------------------------------------------<br> Office: +1 (360) 526-6077 (extension 052)<br> Fax: +1 (509) 479-0084<br><br>
</div>