[Pdns-users] CERT RR?

Marten Lehmann lehmann at cnm.de
Tue Apr 11 10:52:06 UTC 2006


> Having been involved with PKI for the last 4 or so years, I highly doubt 
> this will be the case, the guys coding bind have been pushing their PKI 
> in DNS stuff for years and nothing is happening with it, nobody cares 
> apart from marketing departments and how much money they can make from 
> it...

I think the reality is somewhat different if you e.g. look to the 
extensions of GnuPG that have been made recently. Signatures will become 
very important as it is the only way to verify an identity. The lack of 
S/MIME is, that it requires CAs to issue certs which does cost money and 
is very centralised. On the other hand there is PGP which uses a 
web-of-trust which doesn't really work, because in a company you don't 
want your keys to be signed by external keys, but you want to build your 
own hierarchical "web-of-trust" where you sysadmins must be able to 
issue keys but they must be trusted by external parties without being 
signed by 20 other keys to become trusted. Thats what DNS-CERT is 
invented for: Keys are stored with the domain name so in a way you build 
your own CAs which are verified by the CERT-record of the according 
domain name. I also found a nice article that explains all this, but its 
in German: http://www.heise.de/security/artikel/71726 Maybe you can 
translate it with babelfish or find an English version.

> Yet, why is there only 250,000 SSL enabled sites? (Out of those, 21,000 
> sites are self signed, and 85,000 are signed by unknown CAs)
> 150,000 "valid" SSL sites...

Thats a completely different story but I can explain it anyway: Certs 
from CAs cost money, a lot of money. SSL is for encrypting sensitive 
data and increases the load on the webservers. Whats the use of 
encrypting non-sensitive data and paying for a cert if you are hosting 
public information like news, pictures, your blog, personal homepage or 

> On the other side of the coin how many sites are using SSH?

Sites? Not sites are using SSH but developers working on sites (and 
besides that a can do a lot more with SSH than just updating your 
homepage). I don't know anyone that is using the old telnet but everyone 
is using SSH.


More information about the Pdns-users mailing list