Re: [dnsext] Authenticated denial of existence...
Tony Finch <dot@dotat.at> Mon, 25 November 2013 15:44 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 911761ADED5 for <dnsext@ietfa.amsl.com>; Mon, 25 Nov 2013 07:44:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level:
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RP_MATCHES_RCVD=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rohgG7qblt2C for <dnsext@ietfa.amsl.com>; Mon, 25 Nov 2013 07:43:58 -0800 (PST)
Received: from ppsw-42.csi.cam.ac.uk (ppsw-42.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f42]) by ietfa.amsl.com (Postfix) with ESMTP id 9E4D01ADF56 for <dnsext@ietf.org>; Mon, 25 Nov 2013 07:43:57 -0800 (PST)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:41674) by ppsw-42.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.159]:25) with esmtpa (EXTERNAL:fanf2) id 1VkyKL-0006ua-6V (Exim 4.82_3-c0e5623) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 25 Nov 2013 15:43:57 +0000
Received: from fanf2 by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1VkyKK-0003Q0-Ul (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Mon, 25 Nov 2013 15:43:56 +0000
Date: Mon, 25 Nov 2013 15:43:56 +0000
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Miek Gieben <miek@miek.nl>
In-Reply-To: <20131125140508.GB20994@miek.nl>
Message-ID: <alpine.LSU.2.00.1311251538220.24198@hermes-2.csi.cam.ac.uk>
References: <CFD6B510-D70E-4308-BF3E-B2E7C2ADCBEB@nominum.com> <alpine.LSU.2.00.1311201202570.11548@hermes-2.csi.cam.ac.uk> <21132.63250.716415.755401@gro.dd.org> <20131125140508.GB20994@miek.nl>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] Authenticated denial of existence...
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext/>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Nov 2013 15:44:01 -0000
Miek Gieben <miek@miek.nl> wrote:
> Matthijs and I added an extra appendix to cover on-line signing and
> made some tweaks to the rest of the text.
Looks good.
A point I just noticed in section 3 which I think could do with
elaborating:
Given all these troubles, why didn't the designers of DNSSEC go
for the (easy) route and allowed for on-line signing? Well, at
that time (pre 2000), on-line signing was not feasible with the
then current hardware. Keep in mind that the larger servers get
between 2000 and 6000 queries per second (qps), with peaks up to
20,000 qps or more. Scaling signature generation to these kind of
levels is always a challenge. Another issue was (and is) key
management, for on-line signing to work you need access to the
private key(s). This is considered a security risk.
I think it is worth saying that online signing makes it difficult to have
third party secondary authoritative servers, since they would need a copy
of the private ZSK. With normal DNSSEC, even with a dynamically updated
zone, the private keys do not need to be on a publicly accessible machine.
Tony.
--
f.anthony.n.finch <dot@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
- Re: [dnsext] Authenticated denial of existence... Miek Gieben
- Re: [dnsext] Authenticated denial of existence... Jiankang Yao
- [dnsext] Authenticated denial of existence... Ted Lemon
- Re: [dnsext] Authenticated denial of existence... bmanning
- Re: [dnsext] Authenticated denial of existence... Ted Lemon
- Re: [dnsext] Authenticated denial of existence... bmanning
- Re: [dnsext] Authenticated denial of existence... Ted Lemon
- Re: [dnsext] Authenticated denial of existence... joel jaeggli
- Re: [dnsext] Authenticated denial of existence... Tony Finch
- Re: [dnsext] Authenticated denial of existence... Miek Gieben
- Re: [dnsext] Authenticated denial of existence... Matthijs Mekking
- Re: [dnsext] Authenticated denial of existence... Ted Lemon
- Re: [dnsext] Authenticated denial of existence... Miek Gieben
- Re: [dnsext] Authenticated denial of existence... Dave Lawrence
- Re: [dnsext] Authenticated denial of existence... Mark Andrews
- Re: [dnsext] Authenticated denial of existence... Miek Gieben
- Re: [dnsext] Authenticated denial of existence... Matthijs Mekking
- [dnsext] RFC 4470 bitmap (Was Re: Authenticated d… Matthijs Mekking
- Re: [dnsext] RFC 4470 bitmap (Was Re: Authenticat… Tony Finch
- Re: [dnsext] RFC 4470 bitmap (Was Re: Authenticat… Matthijs Mekking
- Re: [dnsext] RFC 4470 bitmap (Was Re: Authenticat… Tony Finch
- Re: [dnsext] Authenticated denial of existence... Miek Gieben
- Re: [dnsext] Authenticated denial of existence... Tony Finch
- Re: [dnsext] Authenticated denial of existence... Jelte Jansen
- Re: [dnsext] Authenticated denial of existence... Tony Finch
- Re: [dnsext] Authenticated denial of existence... Jelte Jansen
- Re: [dnsext] Authenticated denial of existence... Matthijs Mekking
- Re: [dnsext] Authenticated denial of existence... Tony Finch
- Re: [dnsext] Authenticated denial of existence... Matthijs Mekking