Re: [dbound] draft-brotman-rdbd

"John R. Levine" <johnl@iecc.com> Mon, 01 April 2019 01:01 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dbound@ietfa.amsl.com
Delivered-To: dbound@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4439312006F for <dbound@ietfa.amsl.com>; Sun, 31 Mar 2019 18:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JRMotknvwhtN for <dbound@ietfa.amsl.com>; Sun, 31 Mar 2019 18:01:47 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D69C2120013 for <dbound@ietf.org>; Sun, 31 Mar 2019 18:01:46 -0700 (PDT)
Received: (qmail 22973 invoked from network); 1 Apr 2019 01:01:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=59bb.5ca162f9.k1903; bh=4b5rl8R1KOSRqUZhaCzX5O0CL3I9iuGugyj+tWcdS/A=; b=ifW4TUzaxpWYG9sxZPBZirbrvwjJhwBUALyyZm8qSDkXY9blAc4feVN9bIvtXMF3pZTBbcpJuCmyHiw5XkwZDXBjLAr39eZwTXJzAzg6Sj/kQlRZkCL4fq+AXiYL/63/TBPP4yUaQ6mKbl1OZd7zxMhgac/wULVoIoj2UbFQL5JvhogkyW3mx5F10QJxGyr1W/OvYa8momjEgaTjXSV1FY9Icsl+lplbN4rNid9CHUIwV3Xq0WA8pwd3YoPJ98PL
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 01 Apr 2019 01:01:44 -0000
Date: 31 Mar 2019 21:01:44 -0400
Message-ID: <alpine.OSX.2.21.1903312059110.9650@ary.qy>
From: "John R. Levine" <johnl@iecc.com>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
Cc: "A. Schulze" <sca@andreasschulze.de>, dbound@ietf.org
In-Reply-To: <26d0eebb-1086-2f2c-056a-ba10dc9e6ac9@cs.tcd.ie>
References: <f6862326-40e1-d804-cefe-e63c79a0534d@andreasschulze.de> <alpine.OSX.2.21.1903311818070.8860@ary.qy> <26d0eebb-1086-2f2c-056a-ba10dc9e6ac9@cs.tcd.ie>
User-Agent: Alpine 2.21 (OSX 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/dbound/jQwm9Xo1-i5iBPA4YYTQkg-Dhcc>
Subject: Re: [dbound] draft-brotman-rdbd
X-BeenThere: dbound@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS tree bounds <dbound.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dbound>, <mailto:dbound-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dbound/>
List-Post: <mailto:dbound@ietf.org>
List-Help: <mailto:dbound-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dbound>, <mailto:dbound-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 01:01:52 -0000

> If the public key is available with integrity (either via DNSSEC for
> the relating domain or via caching) then signatures add some evidence
> that the relationship is real.

But if I publish a DNSSEC signed record that says "this other domain is 
related to me" you get exactly the same level of assurance.

What does the extra signature provide that DNSSEC doesn't?  Conversely, if 
it's not DNSSEC signed, publishing a fake "this other domain" record is 
exactly as hard as publishing a fake public key record.

R's,
John