IETF Logo Mail Archive

Re: [dane] Is running a DANE nameserver for a TLD as complex as running a CA?

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 26 July 2015 15:18 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27EA31A916F for <dane@ietfa.amsl.com>; Sun, 26 Jul 2015 08:18:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ2XBJfzoxRJ for <dane@ietfa.amsl.com>; Sun, 26 Jul 2015 08:18:18 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DAF91A906D for <dane@ietf.org>; Sun, 26 Jul 2015 08:18:18 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 473DA282FB1; Sun, 26 Jul 2015 15:18:11 +0000 (UTC)
Date: Sun, 26 Jul 2015 15:18:11 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150726151810.GW4347@mournblade.imrryr.org>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87si8dagiz.fsf@vigenere.g10code.de> <alpine.LFD.2.11.1507250656400.854@bofh.nohats.ca> <20150726093802.763f57e77d2810e4f4facc14@darkdna.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150726093802.763f57e77d2810e4f4facc14@darkdna.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/XhrQfKXQN9lAB4-z0x0RWUQYIdc>
Subject: Re: [dane] Is running a DANE nameserver for a TLD as complex as running a CA?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2015 15:18:20 -0000

On Sun, Jul 26, 2015 at 09:38:02AM -0500, Coyo wrote:

> [ Is running a DANE nameserver for a TLD as complex as running a CA? ]
>
> Or am I fundementally misunderstanding something?

In short no.  Firstly, there's no such thing as a "DANE nameserver",
rather there are nameservers authoritative for a DNSSEC signed zone
that happens to include DANE records.

Running a DNSSEC signed zone is not especially complex.

As for the DANE records, if you have so many servers that it makes
to consolidate the various TLSA records into a single trust-anchor
record, and issue the servers certificates signed by that trust
anchor, then you're running a CA, which is as complex as running
a CA (whatever that means).

If on the other hand the number of servers to manage is small
enough, or you have simplified the coordination of server certificates
with the publication of corresponding TLSA (or other DANE) records,
then it is not like running a CA, but rather like running a public
key whitepages service.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email