[dnsext] stub validation
Paul Vixie <vixie@isc.org> Mon, 25 October 2010 01:27 UTC
Return-Path: <owner-namedroppers@ops.ietf.org>
X-Original-To: ietfarch-dnsext-archive@core3.amsl.com
Delivered-To: ietfarch-dnsext-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09D663A677D; Sun, 24 Oct 2010 18:27:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.481
X-Spam-Level:
X-Spam-Status: No, score=-2.481 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EyYZMt7dARn3; Sun, 24 Oct 2010 18:27:05 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 15B563A6767; Sun, 24 Oct 2010 18:27:05 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-namedroppers@ops.ietf.org>) id 1PABnA-000BfB-Pn for namedroppers-data0@psg.com; Mon, 25 Oct 2010 01:24:04 +0000
Received: from [2001:4f8:3:bb:230:48ff:fe5a:2f38] (helo=nsa.vix.com) by psg.com with esmtps (TLSv1:CAMELLIA256-SHA:256) (Exim 4.72 (FreeBSD)) (envelope-from <vixie@vix.com>) id 1PABn8-000Ber-Gg for namedroppers@ops.ietf.org; Mon, 25 Oct 2010 01:24:02 +0000
Received: from nsa.vix.com (localhost [127.0.0.1]) by nsa.vix.com (Postfix) with ESMTP id C8FBCA1078 for <namedroppers@ops.ietf.org>; Mon, 25 Oct 2010 01:24:01 +0000 (UTC) (envelope-from vixie@nsa.vix.com)
From: Paul Vixie <vixie@isc.org>
To: "namedroppers@ops.ietf.org" <namedroppers@ops.ietf.org>
Subject: [dnsext] stub validation
In-Reply-To: Your message of "Sun, 24 Oct 2010 16:24:54 MST." <8D01F5E3-F863-4873-BB0E-654FA89983F7@virtualized.org>
References: <C8EA875A.83BA%roy@nominet.org.uk> <8D01F5E3-F863-4873-BB0E-654FA89983F7@virtualized.org>
X-Mailer: MH-E 8.1; nil; GNU Emacs 23.1.1
Date: Mon, 25 Oct 2010 01:24:01 +0000
Message-ID: <88612.1287969841@nsa.vix.com>
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
List-ID: <namedroppers.ops.ietf.org>
List-Unsubscribe: To unsubscribe send a message to namedroppers-request@ops.ietf.org with
List-Unsubscribe: the word 'unsubscribe' in a single line as the message text body.
List-Archive: <http://ops.ietf.org/lists/namedroppers/>
among many critical defects in DNSSEC as specified, there's no good model for stub validation, and as time goes on there are fewer and fewer trustworthy rdns servers. as kaminsky said, "i'm not going to trust starbucks rdns to tell me the TLS key hash for my bank's HTTPS server". so... > From: David Conrad <drc@virtualized.org> > Date: Sun, 24 Oct 2010 16:24:54 -0700 > > The problem with applications doing their own resolving is that the 'real > control' implies there is someone at the other end of the application > that has the understanding and knowledge to make use of that control. > Haven't we seen the implications of this approach with browsers that ask > the end user whether or not to accept an SSL cert? ...at the risk of being that guy who just won't shut up about something, let me say that until DNSSEC is commonplace, DNSSEC is a failure. when every apple and microsoft and google and RIM platform including every mobile phone can either validate end-to-end based on trust anchors (using DNSSEC), or validate hop-by-hop based on transaction signatures (using TSIG) from a trusted (and reachable!) rdns, then DNSSEC won't have been worth its (considerable) engineering cost. and it'll have to just work, out of the box, for nontechnical users, with no more or at least no different popups than we get from X.509 failures. but please everybody, don't dilute the DMNF thread with this argument.
- [dnsext] need new flag bit in EDNS, "do me no fav… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Colm MacCárthaigh
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Wouters
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Phillip Hallam-Baker
- Re: [dnsext] need new flag bit in EDNS, "do me no… Roy Arends
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… Roy Arends
- Re: [dnsext] need new flag bit in EDNS, "do me no… Brian Dickson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Mans Nilsson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Vixie
- [dnsext] stub validation Paul Vixie
- Re: [dnsext] stub validation Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Brian Dickson
- Re: [dnsext] need new flag bit in EDNS, "do me no… Phillip Hallam-Baker
- Re: [dnsext] need new flag bit in EDNS, "do me no… bmanning
- Re: [dnsext] stub validation David Conrad
- Re: [dnsext] stub validation Phillip Hallam-Baker
- Re: [dnsext] stub validation Masataka Ohta
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jim Reid
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… David Conrad
- [dnsext] Re: need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] need new flag bit in EDNS, "do me no… Paul Wouters
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jeffrey A. Williams
- Re: [dnsext] need new flag bit in EDNS, "do me no… Alex Bligh
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Mark Andrews
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Colm MacCárthaigh
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Brian Dickson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Phillip Hallam-Baker
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Alex Bligh
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Stephane Bortzmeyer
- [dnsext] Re: need new flag bit in EDNS, "do me no… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Alex Bligh
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jim Reid
- Re: [dnsext] need new flag bit in EDNS, "do me no… Florian Weimer
- Re: [dnsext] need new flag bit in EDNS, "do me no… Florian Weimer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Roosenraad, Chris
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Wouters
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Nicholas Weaver
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Andreas Gustafsson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Wouters
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Nicholas Weaver
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… David Conrad
- [dnsext] Re: need new flag bit in EDNS, "do me no… David Conrad
- Re: [dnsext] need new flag bit in EDNS, "do me no… David Ulevitch
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Florian Weimer
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Andreas Gustafsson
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Paul Vixie
- Re: [dnsext] Re: need new flag bit in EDNS, "do m… Jeffrey A. Williams