Re: [dbound] draft-brotman-rdbd

"John R. Levine" <johnl@iecc.com> Mon, 01 April 2019 02:38 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12E21120241 for <dbound@ietfa.amsl.com>; Sun, 31 Mar 2019 19:38:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zxNVJObqFl0m for <dbound@ietfa.amsl.com>; Sun, 31 Mar 2019 19:38:53 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA5F51201D6 for <dbound@ietf.org>; Sun, 31 Mar 2019 19:38:52 -0700 (PDT)
Received: (qmail 54833 invoked from network); 1 Apr 2019 02:38:50 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=d62e.5ca179ba.k1903; bh=E3Hc5hXViV4LHkFZ4AcTAsM2DUsshBL486kzUYu/5jc=; b=IinEVTCyPWwbMVDK/I2jgO9ZQWMw/hE2EvEDgbjC5L/mOVCiZ31GeUT/CSUwF2OsJWwz+7Tqso5rHPLFBwLnD6v3PFcACMDj6OHBlaHt/sOB6Bcy0XDDbdd5Rs6LlHuylyvhJmaV9Dkxq85ZiT1ngkkc9Oi76LNlnxyYsi8MynQwo8+7vikCJgUJpT16HvMZHBPGS9j68kV9XaRm5lmPrjdbO49cUoKR35Sdppy/UUcMs5AVUzivozqC2VBF+Umu
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 01 Apr 2019 02:38:50 -0000
Date: 31 Mar 2019 22:38:50 -0400
Message-ID: <alpine.OSX.2.21.1903312230470.10104@ary.qy>
From: "John R. Levine" <johnl@iecc.com>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
Cc: dbound@ietf.org
In-Reply-To: <3ccbca12-e69c-6f1a-5cf6-3533e1253b0b@cs.tcd.ie>
References: <f6862326-40e1-d804-cefe-e63c79a0534d@andreasschulze.de> <alpine.OSX.2.21.1903311818070.8860@ary.qy> <26d0eebb-1086-2f2c-056a-ba10dc9e6ac9@cs.tcd.ie> <alpine.OSX.2.21.1903312059110.9650@ary.qy> <dd05deff-b7d4-b605-0c25-d401a7858ff7@cs.tcd.ie> <alpine.OSX.2.21.1903312150240.9966@ary.qy> <6b13a06f-ece2-d1c5-83b9-cfa0a30914f3@cs.tcd.ie> <alpine.OSX.2.21.1903312212440.10050@ary.qy> <3ccbca12-e69c-6f1a-5cf6-3533e1253b0b@cs.tcd.ie>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/cWWfZIss63k_nnGxdKv9tfE6PNw>
Subject: Re: [dbound] draft-brotman-rdbd
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 02:39:06 -0000

>> If you can believe the
>> signature record has integrity because whatever, you can believe the
>> same thing about a much simpler pointer record.
>
> Wrong. As previously explained.
>
> Your "whatever" above ignores all I said about public keys
> known with integrity. And your "the same thing" is not true
> on its face, when DNSSEC is not universal.

No, really, it doesn't.  You're saying the public key is a token that 
people can find credible through a variety of routes, DNSSEC, stable 
publication, whatever.  But exactly the same routes to credibility apply 
to pointer records.

I also note that in practice, there doesn't ever seem to have been a 
spoofing attack on DKIM key records so in practice mail validators always 
accept them as valid.  Mine have DNSSEC signatures but I'm not aware of 
any DKIM software that gives extra points to signed DKIM keys.

I suppose that if there were some very high value application that 
depended on rdbd records there might be more of an incentive to use DNS 
attacks to fake them, but it all seems like a lot of extra work for 
utterly speculative benefits.

Regards,
John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly