ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end

2009-06-10 20:42:17
from [Mark Andrews] [Permanent Link] 

In message <p06240803c65430cf6e92(_at_)[10(_dot_)10(_dot_)10(_dot_)117]>, 
Stephen Kent writes:

Joe,

You have argued that DNSSEC is not viable because it requires that 
everyone adopt IANA as the common root.


Which isn't even a requirement.  Alternate root providers just need
to get copy of the root zone with DS records and sign it with their
own DNSKEY records for the root.

ISP's that choose to use alternate roots might get complaints however
from their customers if they are validating the answers using the
trust-anchors provided by IANA.  This however should be seen as a
good thing as the ISP can no longer tamper with the DNS without
being detected.  If a ISP can convince all their customers that the
alternate roots are a good thing then this won't become a issue.


I agree that under the 
current IANA management situation many folks may be uncomfortable 
with IANA as the root.  However, in practice, the world has lived 
with IANA as the root for the non-secure version of DNS for a long 
time, so it's not clear that a singly-rooted DNSSEC is not viable 
based on this one concern.  Moreover, DNSSEC is a form of PKI, an din 
ANY PKI, it is up to the relying parties to select the trust anchors 
they recognize.  In a hierarchic system like DNS, the easiest 
approach is to adopt a single TA, the DNS root. But, it is still 
possible for a relying party to do more work and select multiple 
points as TAs. I would expect military organizations in various parts 
of the world to adopt a locally-managed TA store model for DNSSEC, to 
address this concern. However the vast majority of Internet users 
probably are best served by the single TA model.

As for DNSCurve, I agree with the comments that several others have 
made, i.e., it doe snot provide the fundamental security one wants in 
DNS, i.e., an ability to verify the integrity and authenticity of 
records as attested to by authoritative domains, din the face of 
caching.


Steve
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka(_at_)isc(_dot_)org
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [IAB] Status of DNSSEC signing of .arpa?, Olaf Kolkman
Next by Date:  RE: Review of draft-ietf-geopriv-http-location-delivery, Thomson, Martin
Previous by Thread:  Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end, Stephen Kent
Next by Thread:  Re: Let's move on - Let's DNSCurve Re: DNSSEC is NOT secure end to end, Stephen Kent
Indexes:  [Date] [Thread] [Top] [All Lists]