ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end

2009-06-15 20:08:08
from [Phillip Hallam-Baker] [Permanent Link] 
So we have totally abandoned the idea of doing DNSSEC in the end point client?

Trust roots have to be valid for at least a decade to be acceptable to
the application vendor community.


And even though the current model of network administration is to
constantly fiddle with everything, I think that is going to have to
stop.


On Thu, Jun 11, 2009 at 8:48 PM, Mark Andrews<marka(_at_)isc(_dot_)org> wrote:


In message 
<a123a5d60906110800i58353c99wc6b16a50395dc5f4(_at_)mail(_dot_)gmail(_dot_)com>,
 Phill
ip Hallam-Baker writes:

OK, how do you do that if the ICANN root is baked into your broadband
router? How about a light switch?


       Given that the ICANN root servers have a history of changing
       address I would not expect any vendor to not provide a
       mechanism for changing them.  We build in the ICANN root
       servers in our products but we also provide mechanisms to
       change them.

% grep ROOT-SE CHANGES
2328.   [maint]         Add AAAA addresses for A.ROOT-SERVERS.NET,
                       F.ROOT-SERVERS.NET, H.ROOT-SERVERS.NET,
                       J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
                       M.ROOT-SERVERS.NET.
2255.   [maint]         L.ROOT-SERVERS.NET is now 199.7.83.42.
1567.   [maint]         B.ROOT-SERVERS.NET is now 192.228.79.201.
1397.   [maint]         J.ROOT-SERVERS.NET is now 192.58.128.30.
%

       The same thing will have to be provided for and DNSKEY's
       embedded in software as the expectation is that these will
       change relatively often, much more often than CA certs.


Yes in theory I can reverse engineer the code. In practice this is not
practical. In theory the music industry could set up their own
alternative to iTunes, in practice they have no choice but to deal
with Apple.


       Governments are not private companies.  Governments often do
       things no sane company would do.


Most cell phones ship with only a small number of SSL roots and the
end user has no ability to change them.

You can change the signing key, but distributing and embedding the
verification key is a whole different issue. The reason that VeriSign
can charge a premium for certs is because its verification roots are
the most widely embedded.

You may disagree with my arguments here, but you do not have the
standing to call them 'specious'.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org





-- 
-- 
New Website: http://hallambaker.com/
View Quantum of Stupid podcasts, Tuesday and Thursday each week,
http://quantumofstupid.com/
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: opsdir review of draft-green-secsh-ecc-08, Douglas Stebila
Next by Date:  Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end, Phillip Hallam-Baker
Previous by Thread:  Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end, Mark Andrews
Next by Thread:  Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end, Mark Andrews
Indexes:  [Date] [Thread] [Top] [All Lists]