IETF Logo Mail Archive

Re: [Asrg] DNSSEC is NOT secure end to end (more tutorial than debating)

Thierry Moreau <thierry.moreau@connotech.com> Tue, 02 June 2009 16:10 UTC

Return-Path: <thierry.moreau@connotech.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BBAF128C274 for <asrg@core3.amsl.com>; Tue, 2 Jun 2009 09:10:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.632
X-Spam-Level:
X-Spam-Status: No, score=-2.632 tagged_above=-999 required=5 tests=[AWL=-0.633, BAYES_00=-2.599, J_CHICKENPOX_36=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oUygrUOl2ufN for <asrg@core3.amsl.com>; Tue, 2 Jun 2009 09:10:51 -0700 (PDT)
Received: from smtp116.rog.mail.re2.yahoo.com (smtp116.rog.mail.re2.yahoo.com [68.142.225.232]) by core3.amsl.com (Postfix) with SMTP id C028528C28B for <asrg@irtf.org>; Tue, 2 Jun 2009 09:10:49 -0700 (PDT)
Received: (qmail 1193 invoked from network); 2 Jun 2009 16:10:49 -0000
Received: from unknown (HELO connotech.com) (thierry.moreau@209.148.165.15 with plain) by smtp116.rog.mail.re2.yahoo.com with SMTP; 2 Jun 2009 16:10:49 -0000
X-YMail-OSG: pjYVJEcVM1nTWASWd1eKIqCO5lY7smSFGIbNwWTUlFygkjtSkWfTx2nrISh_JeztCg--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4A254E82.30201@connotech.com>
Date: Tue, 02 Jun 2009 11:08:34 -0500
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Richard Barnes <rbarnes@bbn.com>
References: <200905302032.n4UKVxaZ048822@givry.fdupont.fr> <4A21C0CB.8070409@necom830.hpcl.titech.ac.jp> <8EFB68EAE061884A8517F2A755E8B60A1EF83F8661@NA-EXMSG-W601.wingroup.windeploy.ntdev.microsoft.com> <4A252B54.6020508@necom830.hpcl.titech.ac.jp> <4A2 <4A254823.9000405@bbn.com>
In-Reply-To: <4A254823.9000405@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Tue, 02 Jun 2009 10:34:15 -0700
Cc: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, Christian Huitema <huitema@windows.microsoft.com>, Francis Dupont <Francis.Dupont@fdupont.fr>, "ietf@ietf.org" <ietf@ietf.org>, Anti-Spam Research Group - IRTF <asrg@irtf.org>
Subject: Re: [Asrg] DNSSEC is NOT secure end to end (more tutorial than debating)
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2009 16:10:52 -0000

Richard Barnes wrote:
> 
> (That is: You already trust the zones above you to maintain the 
> integrity of the zone on the *server*;
> 

This assumption does not stand universally. For some DNS users/usage, 
DNSSEC signature verification will be a must. The discussion implicitly 
referred to such uses.

Then, it is legitimate to appraise the overall confidence in the DNSSEC 
chain of signatures, and to pinpoint the weakest link (e.g. the zone 
manager having the greatest likelihood of lousy private key protection 
in place).

Indeed, DNS+DNSSEC is no different from plain DNS for those who are 
satisfied with the plain DNS. For those awaiting DNS+DNSSEC for some 
uses, it is useful to understand DNSSEC chains of digital signatures.

Accesssorily, the zones "above you" means nothing to a relying party 
that is not validating its own domain.

Regards,

-- 

- Thierry Moreau

v2.23.0 | Report a Bug | By Email