IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Florian Weimer <fw@deneb.enyo.de> Sun, 10 August 2008 09:22 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D3D323A6CD9; Sun, 10 Aug 2008 02:22:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.76
X-Spam-Level:
X-Spam-Status: No, score=-100.76 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, HELO_EQ_DE=0.35, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09DzVPS-Ax5f; Sun, 10 Aug 2008 02:22:28 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 03C263A68A0; Sun, 10 Aug 2008 02:22:28 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KS73d-000J22-Pq for namedroppers-data@psg.com; Sun, 10 Aug 2008 09:17:49 +0000
Received: from [2001:14b0:202:1::a7] (helo=mail.enyo.de) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <fw@deneb.enyo.de>) id 1KS73Z-000J1V-TP for namedroppers@ops.ietf.org; Sun, 10 Aug 2008 09:17:47 +0000
Received: from deneb.vpn.enyo.de ([212.9.189.177] helo=deneb.enyo.de) by mail.enyo.de with esmtp id 1KS72n-0007eB-Hf; Sun, 10 Aug 2008 11:16:57 +0200
Received: from fw by deneb.enyo.de with local (Exim 4.69) (envelope-from <fw@deneb.enyo.de>) id 1KS72n-0004Pu-1O; Sun, 10 Aug 2008 11:16:57 +0200
From: Florian Weimer <fw@deneb.enyo.de>
To: Mark Andrews <Mark_Andrews@isc.org>
Cc: Duane <duane@e164.org>, bert hubert <bert.hubert@netherlabs.nl>, Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
References: <200808080052.m780qMd2002912@drugs.dv.isc.org>
Date: Sun, 10 Aug 2008 11:16:57 +0200
In-Reply-To: <200808080052.m780qMd2002912@drugs.dv.isc.org> (Mark Andrews's message of "Fri, 08 Aug 2008 10:52:22 +1000")
Message-ID: <87r68xut4m.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

* Mark Andrews:

> 	You could have online keys and sign every response with a
> 	ttl + clock skew based window.  This requires that the
> 	private key is on all slaves.  The crypto hardware guys
> 	will love you :-)

Crypto accelerators for RSA are dead.  You can buy four 64x64 -> 128 bit
multipliers supporting a rate of more than 0.5 billion multiplications
per second each for 150 EUR.

> 	Which can be completely automated.  Has already been in
> 	some senarios.  I havn't re-signed my zones for months
> 	despite using a 30 day expiry period on the signatures.
>
> 	It is set and forget.  More and more of the process will
> 	become "set and forget" as the tools develop.

It's not just the tools.  It requires a change of minds, too.  For a
long time, DNSSEC operations were based not on classic DNS approaches,
but on the CA/PKI model (involving off-line keys, different registration
requirements, audit trails etc.).  However, for obvious reasons, hardly
anybody wanted to deploy it this way.

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email