ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] DNSSEC is NOT secure end to end

2009-06-08 15:55:58
from [David Wilson] [Permanent Link] 
On Sat, 2009-06-06 at 13:09 +0900, Masataka Ohta wrote:

David Wilson wrote:


However, I think there is some difference in the way people are using
some terms.


According to the terminology of David Clark, PKI including DNSSEC
is not secure end to end.


DNSSEC provides two things. Firstly, it provides the means to digitally
sign RRsets. This provides data origin authentication and data
integrity. As this operates at the DNS application layer, this is
clearly "end to end" within David Clark's terminology. It does not rely
on any security services in the lower communication layers (in the way
that, for instance, relying on TCP would).

This origin authentication and integrity is precisely what is required
to avoid the DNS cache poisoning which is the kind of vulnerability
which prompted this discussion.

This aspect of DNSSEC does not require the use of any PKI. A security
aware resolver can obtain by some out-of-band means the public signing
key for some "island of security", and choose to trust that key.

However, such bilateral arrangements do not scale to the Internet. So,
DNSSEC provides a means for an Authentication Chain, to use the specific
DNSSEC term. A signed zone can authenticate the key of a child zone.
There is a chain here. However, it is of a significantly different
character to a communication network. Whether it is "end to end" or not,
is for a different discussion.




"End-to-end" security means that the security of that data item does not
depend on the trustworthiness of any intermediate node, or channel.


According to the terminology of David Clark, certificate authorities
are intermediate nodes.

If you have different terminology, use it outside of the Internet
community but not within.


I get the impression from you that DNSSEC is to be disregarded because
it is not "end to end". However, the opinion of "the Internet community"
as regards DNSSEC has been made clear in the last few days, given these
announcements:

http://www.nist.gov/public_affairs/releases/dnssec_060309.html

http://pir.org/index.php?db=content/Website&tbl=ORG_Advantage&id=2

http://www.networkworld.com/news/2009/022409-verisign-dns-security.html?hpg1=bn

If the Internet community agrees with you that DNSSEC is not "end to
end", then this does not seem to divert them from implementing it.

best regards

David


_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Gen-ART LC Review of draft-ietf-geopriv-http-location-delivery-14.txt, Bernard Aboba
Next by Date:  Call for Nomination: RFC Series Editor, IAB Chair
Previous by Thread:  Re: [Asrg] DNSSEC is NOT secure end to end, Masataka Ohta
Next by Thread:  Re: [Asrg] DNSSEC is NOT secure end to end, Masataka Ohta
Indexes:  [Date] [Thread] [Top] [All Lists]