IETF Logo Mail Archive

Re: [dane] Is running a DANE nameserver for a TLD as complex as running a CA?

Coyo <coyo@darkdna.net> Mon, 27 July 2015 01:21 UTC

Return-Path: <coyo@darkdna.net>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E838A1A0033 for <dane@ietfa.amsl.com>; Sun, 26 Jul 2015 18:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.978
X-Spam-Level:
X-Spam-Status: No, score=-3.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HkTxBE3taFZ2 for <dane@ietfa.amsl.com>; Sun, 26 Jul 2015 18:21:11 -0700 (PDT)
Received: from ryujin.darkdna.net (ryujin.darkdna.net [69.164.196.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5BE41A0030 for <dane@ietf.org>; Sun, 26 Jul 2015 18:21:10 -0700 (PDT)
Received: from localhost (unknown [IPv6:fdcf:3c00:e001::101]) by ryujin.darkdna.net (Postfix) with ESMTP id 3mfjyG1SZPz19bW for <dane@ietf.org>; Mon, 27 Jul 2015 01:21:10 +0000 (UTC)
Received: from ryujin.darkdna.net ([IPv6:fdcf:3c00:e001::100]) by localhost (otohime.darkdna.net [IPv6:fdcf:3c00:e001::101]) (amavisd-new, port 10026) with ESMTP id vTNh6zuOobdf for <dane@ietf.org>; Mon, 27 Jul 2015 01:21:09 +0000 (UTC)
Received: from coyo-K55VJ (pool-71-164-173-165.dllstx.fios.verizon.net [71.164.173.165]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ryujin.darkdna.net (Postfix) with ESMTPSA id 3mfjyF6T8Tz19bV for <dane@ietf.org>; Mon, 27 Jul 2015 01:21:09 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=darkdna.net; s=mail; t=1437960069; bh=xfGo4S0GDoDYfLaQKsE8LxAw8AKh68ESHjqCWEIyoNI=; h=Date:From:To:Subject:In-Reply-To:References; b=TeOwwj1ej7XHuUWsYJ2q678uwqbTznbvlOaxpnVbIUGJxjR/5ZjpOpRfkUhNUG2EV 2K2U6YeSNUcX6LPSazvKLXRqCkJhwI79Uc0cQ7tUZ5IvaEzpDvffbcAOQZ7HpV77AD iay9YPiRhhuxGyjZEsRMRrhGQ2iKpep5lkisIEoE=
Date: Sun, 26 Jul 2015 20:21:09 -0500
From: Coyo <coyo@darkdna.net>
To: dane@ietf.org
Message-Id: <20150726202109.b7fa73e07082093151ac977a@darkdna.net>
In-Reply-To: <20150726151810.GW4347@mournblade.imrryr.org>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87si8dagiz.fsf@vigenere.g10code.de> <alpine.LFD.2.11.1507250656400.854@bofh.nohats.ca> <20150726093802.763f57e77d2810e4f4facc14@darkdna.net> <20150726151810.GW4347@mournblade.imrryr.org>
X-Mailer: Sylpheed 3.4.2 (GTK+ 2.24.27; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/U-zgfB980RvReiXdyTp8NQnH4MQ>
Subject: Re: [dane] Is running a DANE nameserver for a TLD as complex as running a CA?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Jul 2015 01:21:14 -0000

On Sun, 26 Jul 2015 15:18:11 +0000
Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:

> On Sun, Jul 26, 2015 at 09:38:02AM -0500, Coyo wrote:
> 
> > [ Is running a DANE nameserver for a TLD as complex as running a CA? ]
> >
> > Or am I fundementally misunderstanding something?
> 
> In short no.  Firstly, there's no such thing as a "DANE nameserver",
> rather there are nameservers authoritative for a DNSSEC signed zone
> that happens to include DANE records.
> 
> Running a DNSSEC signed zone is not especially complex.
> 
> As for the DANE records, if you have so many servers that it makes
> to consolidate the various TLSA records into a single trust-anchor
> record, and issue the servers certificates signed by that trust
> anchor, then you're running a CA, which is as complex as running
> a CA (whatever that means).
> 
> If on the other hand the number of servers to manage is small
> enough, or you have simplified the coordination of server certificates
> with the publication of corresponding TLSA (or other DANE) records,
> then it is not like running a CA, but rather like running a public
> key whitepages service.
> 
> -- 
> 	Viktor.

Thank you, that was helpful. I greatly appreciate your wisdom.

v2.23.0 | Report a Bug | By Email