Confirm
298
edits
Changes
m
RevocationCurrently there is no revocation mechanism for DNS keys or signatures. Most signatures are valid for 1 month, however, so if a key has been compromised, the window of opportunity for evildoers is short.
→Security Considerations
Using this mechanism, the ability to produce material that authenticates a domain is tied to the doman name hierarchy. That is, an arbitrary organization cannot masquerade as another party unless they control a level of the domain system closer to the root and on the same path as their target. This prevents the current situation where certificate authorities can issue certificates for domains they should not be allowed to. However, this still means that the organization in charge of the root zone can masquerade as any domain, and the organizations in charge of top level domains can masquerade as any domain below theirs, and so on.
If a certificate is sent that includes a certificate chain, the certificate chain must validate up to a trusted root. This root is either the certificate identified by the DANE TLSA record in the DNSSEC chain or a trusted root CA certificate.
Similarly, if the certificate can be checked against OCSP/or a CRL checking, it should be. If the certificate has been revoked, the TLS session should not continue.
Configuration of DNSSEC is not significantly more difficult than configuring DNS. As long as private keys are not exposed, it would be difficult to configure DNSSEC in a way that is operable yet insecure.
