At the moment? Nothing.
On 21/11/2009, Mike McGrath <mmcgrath(a)redhat.com> wrote:
On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
> On Fri, Nov 20, 2009 at 10:30 PM, Mike McGrath <mmcgrath(a)redhat.com>
> wrote:
> > On Fri, 20 Nov 2009, Jeffrey Ollie wrote:
> >
> >> On Fri, Nov 20, 2009 at 10:09 PM, Mike McGrath <mmcgrath(a)redhat.com>
> >> wrote:
> >> >
> >> > So, for example 'fedoraproject.org' wouldn't be signed,
but
> >> > 'us.fedoraproject.org' would be? I *think* that's possible
but I
> >> > haven't
> >> > gotten it to work. If I can get that to work though I guess that
> >> > makes
> >> > sense because A) it'd work for now and B) I'm sure over time
pdns's
> >> > dnssec
> >> > will continue to mature.
> >>
> >> No, that wouldn't really work, because then you couldn't trust
lookups
> >> from the
fedoraproject.org zone, which would include delegations to
> >> the subdomains, the main website itself, MX records, etc.
> >>
> >
> > But if
fedoraproject.org pointed to some place that wasn't signed or was
> > signed incorrectly, wouldn't that fail?
>
>
fedoraproject.org can't be a CNAME because it has other records like
> MX, NS, SOA, etc. We'd have to switch to using
> 'www.fedoraproject.org' which could be a CNAME into an unsigned
> subzone.
>
> But then you'd still have the problem of relying on an unsigned zone
> serving up DNS data, eventually no one is going to trust it.
>
At this very moment, what is dnssec buying us?
-Mike