[afnog] .TZ DS records in root zone

Heinrich Strauss heinrich at hstrauss.co.za
Sat Feb 9 10:40:30 UTC 2013

Hi, Boney.

In a properly configured infrastructure, it is now more difficult (read: 
impossible, in most cases) to fake DNS entries under .tz or other 

It helps calm things with respect to compromised certificate issuers, as 
we've seen in the last few years, but is not a "silver-bullet." It also 
allows for things like putting SSH FingerPrints in the DNS (SSHFP 
records) or validating certificate signatures from the DNS (TLSA 
records). This helps to verify authenticity of the server you're 
connecting to in a security-conscious environment.

As with all security measures, though, it is one link in a large chain, 


On 2013/02/09 10:05, Boney Mutabazi wrote:
> Hi Every one i like what am reading  about the "TZ DS officially 
> signed" Question is to an every day internet user what does mean and 
> also to TZ ISPs both in terms of speed and cost per Gig
> thanks
> Boney
> On Feb 9, 2013 9:23 AM, "SM" <sm at resistor.net 
> <mailto:sm at resistor.net>> wrote:
>     Hi Simon,
>     At 13:34 08-02-2013 <tel:34%2008-02-2013>, Simon M. Balthazar wrote:
>         Yes Alain we do....TZ is officially signed.
>     Congratulations.
>     Regards,
>     -sm
>     _______________________________________________
>     afnog mailing list
>     http://afnog.org/mailman/listinfo/afnog
> _______________________________________________
> afnog mailing list
> http://afnog.org/mailman/listinfo/afnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://afnog.org/pipermail/afnog/attachments/20130209/1a313646/attachment.html>

More information about the afnog mailing list