ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [saag] What does DNSSec protect? (Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC)

2014-08-11 10:06:17
from [manning] [Permanent Link] 
all  of this is true… ONLY to the extent that you have, in your possession and 
properly configured (AT YOUR OWN NODE)
a verified Trust Anchor - AND if the chain of custody terminates at one of the 
Trust Anchors you have configured.

Almost the same model as the CA keys stored in your browser…  

A presumptive is that folks will care for and actively manage their Trust 
Anchors.   Just like folks care for and actively
manage their Browser Certificates.

As usual, YMMV and your vendor may or may not agree with your trust profile or 
allow you to set it.

/bill


On 9August2014Saturday, at 14:34, Donald Eastlake <d3e3e3(_at_)gmail(_dot_)com> 
wrote:


Just to point out that DNSSEC authenticates data even in the case of
null data; that is, it provide authenticated denial of the existence
of data.

Thanks,
Donald
=============================
Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
155 Beaver Street, Milford, MA 01757 USA
d3e3e3(_at_)gmail(_dot_)com


On Sat, Aug 9, 2014 at 1:03 PM, Paul Wouters <paul(_at_)nohats(_dot_)ca> 
wrote:

On Sat, 9 Aug 2014, Dave Crocker wrote:


Data integrity is an important side-effect of crypto signing
methodology.  However I'm not used to seeing it classed as the primary
purpose of DNSSec, with no mention of authentication.



In the mid ninetees when dnssec was worked on, there were two camps. The
DNS people who wanted to only secure DNS and explicitely did NOT
want the DNS to become a PKI. And those that mainly wanted secure
DNS to make a new PKI (eg Gilmore and the FreeS/WAN people). This
fight continued throughout, and is the reason KEY/SIG/NXT changed to
DNSKEY/RRSIG/NSEC. The change dictated those records were for DNS only
and not for use by applications as PKI.

So the PKI people had to silently go along with the DNS people to
write and deploy DNSSEC, so that they could add their RRTYPE's for a
PKI later even if the DNS people hated the idea. That is why you don't
see it listed anywhere in any document as a purpose of DNSSEC.

Paul


_______________________________________________
saag mailing list
saag(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/saag
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IETF-91 Question - Hilton Hawaiian village construction and resort fee, Mary Barnes
Next by Date:  Re: IETF-91 Question - Hilton Hawaiian village construction and resort fee, Rosen, Brian
Previous by Thread:  Re: [saag] What does DNSSec protect? (Re: Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC), Donald Eastlake
Next by Thread:  Re: [saag] Last Call: <draft-dukhovni-opportunistic-security-01.txt> (Opportunistic Security: some protection most of the time) to Informational RFC, Paul Wouters
Indexes:  [Date] [Thread] [Top] [All Lists]