Re: [dane] Is running a DANE nameserver for a TLD as complex as running a CA?
Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 26 July 2015 15:18 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27EA31A916F for <dane@ietfa.amsl.com>; Sun, 26 Jul 2015 08:18:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NJ2XBJfzoxRJ for <dane@ietfa.amsl.com>; Sun, 26 Jul 2015 08:18:18 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5DAF91A906D for <dane@ietf.org>; Sun, 26 Jul 2015 08:18:18 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 473DA282FB1; Sun, 26 Jul 2015 15:18:11 +0000 (UTC)
Date: Sun, 26 Jul 2015 15:18:11 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20150726151810.GW4347@mournblade.imrryr.org>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87si8dagiz.fsf@vigenere.g10code.de> <alpine.LFD.2.11.1507250656400.854@bofh.nohats.ca> <20150726093802.763f57e77d2810e4f4facc14@darkdna.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20150726093802.763f57e77d2810e4f4facc14@darkdna.net>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/XhrQfKXQN9lAB4-z0x0RWUQYIdc>
Subject: Re: [dane] Is running a DANE nameserver for a TLD as complex as running a CA?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2015 15:18:20 -0000
On Sun, Jul 26, 2015 at 09:38:02AM -0500, Coyo wrote: > [ Is running a DANE nameserver for a TLD as complex as running a CA? ] > > Or am I fundementally misunderstanding something? In short no. Firstly, there's no such thing as a "DANE nameserver", rather there are nameservers authoritative for a DNSSEC signed zone that happens to include DANE records. Running a DNSSEC signed zone is not especially complex. As for the DANE records, if you have so many servers that it makes to consolidate the various TLSA records into a single trust-anchor record, and issue the servers certificates signed by that trust anchor, then you're running a CA, which is as complex as running a CA (whatever that means). If on the other hand the number of servers to manage is small enough, or you have simplified the coordination of server certificates with the publication of corresponding TLSA (or other DANE) records, then it is not like running a CA, but rather like running a public key whitepages service. -- Viktor.
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Olafur Gudmundsson
- Re: [dane] [openpgp] The DANE draft Phillip Hallam-Baker
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- [dane] Is running a DANE nameserver for a TLD as … Coyo
- Re: [dane] Is running a DANE nameserver for a TLD… Viktor Dukhovni
- Re: [dane] Is running a DANE nameserver for a TLD… Coyo
- Re: [dane] [openpgp] The DANE draft Werner Koch
- Re: [dane] Is running a DANE nameserver for a TLD… Wiley, Glen
- Re: [dane] Is running a DANE nameserver for a TLD… Nico Williams
- Re: [dane] The DANE draft Simon Josefsson
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Patrick Ben Koetter
- Re: [dane] [openpgp] The DANE draft Paul Hoffman
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Carsten Strotmann
- Re: [dane] [openpgp] The DANE draft Paul Hoffman
- Re: [dane] [openpgp] The DANE draft Patrik Löhr
- Re: [dane] [openpgp] The DANE draft Viktor Dukhovni
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Daniel Kahn Gillmor
- Re: [dane] [openpgp] The DANE draft Daniel Kahn Gillmor
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Jiankang Yao
- Re: [dane] [openpgp] The DANE draft Hosnieh Rafiee
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Hosnieh Rafiee
- Re: [dane] [openpgp] The DANE draft Hosnieh Rafiee
- Re: [dane] [openpgp] The DANE draft Vincent Breitmoser
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Carsten Strotmann
- Re: [dane] [openpgp] The DANE draft Paul Wouters
- Re: [dane] [openpgp] The DANE draft Stephen Farrell
- Re: [dane] [openpgp] The DANE draft Viktor Dukhovni
- Re: [dane] [openpgp] The DANE draft Hosnieh Rafiee
- Re: [dane] [openpgp] The DANE draft Warren Kumari
- Re: [dane] [openpgp] The DANE draft Daniel Kahn Gillmor