IETF Logo Mail Archive

Re: [dane] Is running a DANE nameserver for a TLD as complex as running a CA?

Nico Williams <nico@cryptonector.com> Tue, 28 July 2015 18:03 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C88CE1B2CF1 for <dane@ietfa.amsl.com>; Tue, 28 Jul 2015 11:03:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R1VNUqYDuRQV for <dane@ietfa.amsl.com>; Tue, 28 Jul 2015 11:03:13 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 032211B2CF8 for <dane@ietf.org>; Tue, 28 Jul 2015 11:03:09 -0700 (PDT)
Received: from homiemail-a77.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTP id 88CDF940BC; Tue, 28 Jul 2015 11:03:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=6qZ4Ih5t4Bc+wzBztO8ITUMPkNM=; b=f0ATuJ89y6r W+1lIGSFAj7kNz6duxkkhA+tD4E3IYpehjoqVnlrRdd2d1jScqQaFCPMjLQQP/xK dI7/jCDCZxRMP8so01ivmjihkm5P2bksLIxXhRFZACEKcdg20WPI1ljOUIlHoHkf kdaynQenuaA+b4jGcxpfYDBHUuvOpOZU=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a77.g.dreamhost.com (Postfix) with ESMTPA id 09A5394079; Tue, 28 Jul 2015 11:03:07 -0700 (PDT)
Date: Tue, 28 Jul 2015 13:03:07 -0500
From: Nico Williams <nico@cryptonector.com>
To: "Wiley, Glen" <gwiley@verisign.com>
Message-ID: <20150728180305.GA3901@localhost>
References: <CAMm+LwhYdBLXM8Td8q8SCnzgwywRgMx3wNKeS_Q0JSN4Lh7rZQ@mail.gmail.com> <87si8dagiz.fsf@vigenere.g10code.de> <alpine.LFD.2.11.1507250656400.854@bofh.nohats.ca> <20150726093802.763f57e77d2810e4f4facc14@darkdna.net> <D1DCD6AA.1602B%gwiley@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <D1DCD6AA.1602B%gwiley@verisign.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/qWvzvBW4ckTHqhOHU7P0H-8Rg94>
Cc: "dane@ietf.org" <dane@ietf.org>
Subject: Re: [dane] Is running a DANE nameserver for a TLD as complex as running a CA?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 18:03:18 -0000

On Tue, Jul 28, 2015 at 10:52:43AM +0000, Wiley, Glen wrote:
> It might help if you offered more specific points to your question.
> Serving DANE style records for a TLD probably doesn¹t make much sense as
> those records have more meaning for a SLD.  Are you asking about running a
> DNSSEC capable name server or serving a signed zone?

That was my take.

DNSSEC is a PKI, so running a signed domain is like running a CA, yes.
There are differences:

 - There's only one trust anchor for the clients (mostly), because
   DNSSEC has naming constraints in place from day one.

 - There's no CRLs and no OCSP (but stapling of DNSSEC data is possible,
   though still being nailed down [har]).

   Revocation is easy: change the keys (and wait for TTLs to pass).

   This does mean that you have to think carefully about what TTLs to
   use.

 - Enrollment and key rollover still need work, but that's kinda true
   for PKIX CAs too...

Nico
--

v2.23.0 | Report a Bug | By Email