IETF Logo Mail Archive

Re: OFFTOPIC: DNSSEC groupthink versus improving DNS

Duane <duane@e164.org> Thu, 07 August 2008 14:50 UTC

Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B753B28C0FC; Thu, 7 Aug 2008 07:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.873
X-Spam-Level:
X-Spam-Status: No, score=-0.873 tagged_above=-999 required=5 tests=[AWL=-0.378, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UeArLXy46fTz; Thu, 7 Aug 2008 07:50:10 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 1EDBD28C1A3; Thu, 7 Aug 2008 07:50:10 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1KR6i7-000N2X-4P for namedroppers-data@psg.com; Thu, 07 Aug 2008 14:43:27 +0000
Received: from [208.82.100.153] (helo=mail.aus-biz.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <duane@e164.org>) id 1KR6hv-000N1A-7K for namedroppers@ops.ietf.org; Thu, 07 Aug 2008 14:43:24 +0000
Received: from [192.168.100.244] (dsl-48-19.qld1.net.au [125.168.48.19]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.aus-biz.com (Postfix) with ESMTPSA id 6AF38FF26C; Fri, 8 Aug 2008 00:43:14 +1000 (EST)
Message-ID: <489B09FE.8050701@e164.org>
Date: Fri, 08 Aug 2008 00:43:10 +1000
From: Duane <duane@e164.org>
User-Agent: Thunderbird 2.0.0.16 (X11/20080724)
MIME-Version: 1.0
To: bert hubert <bert.hubert@netherlabs.nl>
CC: Namedroppers <namedroppers@ops.ietf.org>
Subject: Re: OFFTOPIC: DNSSEC groupthink versus improving DNS
References: <489AD5E3.20708@nlnetlabs.nl> <20080807134236.GA19024@outpost.ds9a.nl>
In-Reply-To: <20080807134236.GA19024@outpost.ds9a.nl>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>

bert hubert wrote:
> Or 79 page presentations called "DNSSEC in six minutes" - giving people 4.6
> seconds per page. It is just not real.
> http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf 

I've seen this document in the past and it actually turned me and others
completely off the idea of DNSSEC, which in part was what led to me
playing with encryption funnily enough, because it seems to me most are
promoting 30 day TTLs on the sigs, which means 30 days of replay attacks
potentially, not to mention the whole re-signing every 30 days.

Who ever thought that does not live in the real world, people
administering servers with X.509 certs that expire yearly is bad enough,
but every 30 days or less???

That alone is going to be a show stopped for most if not all admins with
too many things to do and not enough time to do everything.

-- 

Best regards,
 Duane

--
to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.23.0 | Report a Bug | By Email