ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSECis hard to get right

2010-09-07 10:53:48
from [Jiankang YAO] [Permanent Link] 

----- Original Message ----- 
From: "Stephane Bortzmeyer" <bortzmeyer(_at_)nic(_dot_)fr>
To: "Jiankang YAO" <yaojk(_at_)cnnic(_dot_)cn>
Cc: <namedroppers(_at_)ops(_dot_)ietf(_dot_)org>; <ietf(_at_)ietf(_dot_)org>
Sent: Tuesday, September 07, 2010 3:17 PM
Subject: MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSECis 
hard to get right



On Tue, Aug 31, 2010 at 02:55:08PM +0800,
Jiankang YAO <yaojk(_at_)cnnic(_dot_)cn> wrote 
a message of 11 lines which said:


I propose a lightweight DNSSEC.

http://www.ietf.org/id/draft-yao-dnsext-msig-00.txt


I've just read the draft and I'm not sure of the problem it intends to
solve. There are two parts where DNSSEC could be regarded as "too
heavy":

1) Administrative procedures, key management, resigning, etc.

2) Work for the name servers (loading large zones, sending large
packets, validating, etc).

MSIG addresses only the second. The first one, which was the cause of
the failure for iab.org, is exactly the same as with the current
DNSSEC.

Even for the second, MSIG addresses a problem that we do not feel (for
the signing of .FR, which will be on line next week, the size of the
zone was the smallest problem) and creates a new problem: the
authoritative name server now must generate a signature for every
request! You will eat less RAM but use much more CPU.



frankly said, I got the inspiration from the DNScurv draft 
draft-dempsky-dnscurve-01 - DNSCurve,

which uses the similar mechanism, but changed the dns packet format.

The MSIG proposal does not change the basic rules of dns.

MSIG is very useful for the registries or the DNS zone which has the millions 
of domain names since it will reduce the size of the zone dramatically.

on the other hand, the outgoing DNS packages are too large for the heavy 
dnssec. sometimes, we have to use the TCP connections to transfer the big 
package.

MSIG will reduce the dns outgoing package too.






Also, if I understood the draft correctly:

* Every authoritative name server, even a slave, will require a copy
of the private key (since it will have to sign the responses
on-the-fly). Bad for manageability and security.

* MSIG secures the link from the authoritative name server to the
resolver but cannot help if there are chained resolvers, or cannot be
used for the last mile. (I'm not sure about this last point, it is not
clear in the draft.)



for the last mile problem, 

I also proposed http://tools.ietf.org/html/draft-yao-dnsop-resolverkey-00


thanks a lot for your taking a look at my draft.



Jiankang Yao





_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • Re: MSIG proposal (on-the-fly sigs for ordinary records) Was: DNSSECis hard to get right, Jiankang YAO <=
Previous by Date:  Re: [xmpp] Review of draft-saintandre-tls-server-id-check, Bernard Aboba
Next by Date:  re: Last Call: <draft-ietf-tcpm-urgent-data-06.txt> (On the implementation of the TCP urgent mechanism) to Proposed Standard, Keith Moore
Previous by Thread:  Re: [xmpp] Review of draft-saintandre-tls-server-id-check, Bernard Aboba
Next by Thread:  re: Last Call: <draft-ietf-tcpm-urgent-data-06.txt> (On the implementation of the TCP urgent mechanism) to Proposed Standard, Keith Moore
Indexes:  [Date] [Thread] [Top] [All Lists]